Translate

Wednesday, 23 May 2012

Hacking SAP


Hacking SAP (Ethical :) )

YOU ARE RESPONSIBLE FOR ANY LOSSES ARISING OUT OF USING ANY OF THE BELOW CONTENT. USE IT IN YOUR OWN DISCRETION

In my understanding hacking is nothing but getting access which you are not supposed to get. Here I explain various ways of getting access to various things in SAP. This is also an education to SAP Security team, andd they can analyze these loopholes. That is why I call it ethical.

Ensure that you use these techniques only in your development or test systems. Never try in Production.

Execute a unauthorized Tcode ? Use SA38
What will you get?
To execute a Tcode for which you do not have access 

What do you need to have? 
Access to Tcode SA38,
This applies only to Report Tcodes, not to Module-pool Tcodes

How to do it? 
Login to any system where you have access to the target Tcode. (Example : AL08)
Go to System --> Status and find the name of the program which is triggered by your target Tcode.
Now go to SA38 and execute this program. In this case it is RSUSR000.This hack works because there is no authorization check inside the program. Rather the check is at Tcode level.



What is the trail?
Unless you are monitored using system trace, there is no trail you will leave behind.


Updating contents of a table (SE16 - Classic debugger)
What will you get?
- You can create/edit/delete table entries using SE16. This hack makes use of earlier ability available in SE16 to create/edit/delete entries. 

What do you need to have? 
- SE16 access
- Change access in debug mode

How to do it?
Go to SE16 -->Display and select the entry you want to delete/edit/copy -->switch on the debug mode -->Press F7 --> Switch to Classic debugger (from menu 'Debugger')-->In the classic debugger press F7 -->You see below screen.

Now change SHOW to EDIT and press F8. You are in the edit mode now. Similarly you can Edit/delete/create entries.


What is the trail?

Unfortunately this does not leave any trail. So impossible to detect, unless trace is set on the performing user.


Any authorization you want temporarily? table USRBF2
What will you get?
Any authorization you want. It will remain for around 2 to 3 hours.  


What do you need to have? 
Change access to table USRBF2

How to do it? 
Find out the authorization object required by you.
Create an entry in table USRBF2 using debugging access.

What is the trail?
Entry in this table will say that you have the access. But this entry will get deleted after 2-3 hours.
System trace will show that you get the access due to this table.

Want SAP* access? Table USREFUS
What will you get?
SAP* access, that is ALL the access is the system 


What do you need to have? 
- SE16 access
- Change access in debug mode

How to do it?
Create an entry like below using the debugging access in SE16


What is the trail?
- Entry in the table will mean that you have the access. The access will remain as long as the entry remains.

No comments: