Wednesday, May 29, 2013

How to hack your SAP environment

Greetings, dear readers!

Today I would like to share with you some thoughts about security +SAP environment. I hear people talking about security a lot, discussing GRC implementations, HTTPS protocols appliances, and other security enhancements that are targeted to improve overall security and authorizations. We all love talking about cloud solutions, mobile tools and their security, and other aspects of everyday +SAP maintenance.

How about taking it to the previous level? The steps below can be executed by any user that has SAP GUI installation, and he doesn't even require a user in SAP. Be careful with your commands...

* This post applies to Windows-based installations, with SAP BASIS component lower than EHP1, patch 10.

  1. Open your SAP GUI
  2. Double-click on one of your SAP installations (I suggest you don't touch your production environment)
  3. Log on to the system, by changing client number to 066, user EARLYWATCH, password 'support'

  4. Execute transaction SM51
  5. While in SM51, execute the command GREP

  6. Paste the line below and click "Find" - you will get full configuration of the server



    As you might understand, you can execute command prompt commands directly from SAP, without even having a user there. You can, for example, change the word 'set' in the line above to 'ipconfig', which will return you the network configuration.

    Security, huh?
Posted by at 2 comments:
Labels: , , , , , , , , ,
Location: Herzliya, Israel
Subscribe to: Posts (Atom)