Skip to Content
0
Former Member
Jun 13, 2016 at 08:53 AM

SAP GUI session hijack

207 Views

Dears,

quite recently we've been trying to perform a SAP GUI session hijack (within our corporation - only to reproduce something that an external pentester has proved is possible). Allegedly only a properly constructed SAP shortcut file including the victim's cookie is sufficient to be able to log on to SAP system as the victim. So I've been asked to write a brief report to create such a shortcut file with an additional parameter 'at' to which the victim's MYSAPSSO2 cookie value is assigned. I received the cookie value from a colleague but... a double-click on the shortcut makes me log in as... myself (instead of logging as the colleague). Both of us have respective users on the below system, so a missing user is not the case.

Here's what the shortcut file looks like:

[System]

Name=XXX

Description=XXX SAP XX

Client=010

[User]

Name=XXXXXXXX

at="MYSAPSSO2=AjExMDAgAA9bw3J0YWw6cGFkaXlhcnaIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUEFESVlBUlYCAAMwMDADAANDMVAEAAwyMDE2MDYwNzE0MzYFAAQAAAAICgAIUEFESVlBUlb%2FAQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVMABTA0MxUDENMAsGA1UECxMESjJFRQIDABAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYwNjA3MTQzNjU1WjAjBgkqhkiG9w0BCQQxFgQUu0UZjgRVxcNbqk3l8%2FA!4V5dnaUwCQYHKoZIzjgEAwQvMC0CFQCG9fWYsJm96tjNqVe6WB98ljyr4gIUftll1e6QPIa1mYFj4Sy%2FdFf2fuM%3D"

Language=EN

[Function]

Title=SAP Easy Access - User Menu for Xxxxxx Xxxxxxx

Command=SESSION_MANAGER

[Configuration]

I'd be grateful if you could point what I am still missing... Any other parameter required in the file?

Thanks in advance.