""ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution""

SID: 2025835

Revision: 2

Class Type: attempted-user

Metadata: attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_2380, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2018_07_12

Reference:

  • cve

  • 2018-2380

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HTTP_SERVERS

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "/init.do?"

  • Value: "java.util"

  • Value: "Runtime.getRuntime().exec"

  • Value: "cmd"

Within:

PCRE:

Special Options:

  • http_uri

  • http_uri

  • fast_pattern

  • http_uri

  • http_uri

source