Unauthenticated File Upload RCE in SAP NetWeaver Visual Composer Metadata Uploader

Repository contains a single Python exploit script (main.py) and a short README describing CVE-2025-31324 (SAP NetWeaver AS Java Visual Composer metadata uploader unrestricted file upload leading to RCE). main.py is an unauthenticated remote exploit that crafts an in-memory ZIP file containing a single entry named ".properties" whose contents are a large prebuilt binary blob (base64-decoded Java-serialization-like data) with dynamically adjusted length fields and embedded attacker-controlled data. The script POSTs this ZIP to the SAP NetWeaver Visual Composer metadata uploader endpoint at /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 with Content-Type: application/octet-stream. Capabilities: - Remote exploitation over HTTP(S) using requests with TLS verification disabled (verify=False). - Drops a JSP web shell with a randomized lowercase filename (e.g., <random>.jsp) and reports it as accessible under /irj/<random>.jsp. - Accepts a --command argument intended to execute an arbitrary command by embedding it into the crafted payload (the code builds size fields based on the command length and constructs a newContent buffer around the decoded blob). - Includes a response-text fingerprint for a specific target version (prints "Found version 7.5") and applies a byte-sequence patch to the payload before retrying. Structure/purpose: - README.md: high-level vulnerability description and claimed context. - main.py: standalone PoC/operational exploit driver with CLI parsing (target URL, --command, --dropshell), payload construction, and a single request routine (sendReq) that performs the upload and prints success indicators based on response strings.

This repository contains a demonstration of a remote code execution (RCE) vulnerability in a custom Flask web application (app.py). The app exposes an unauthenticated file upload endpoint (/VC/metaDataUploader) and a trigger endpoint (/trigger/<filename>) that executes uploaded Python files, allowing arbitrary code execution. The included rev.py script is a robust Python reverse shell that can be uploaded and triggered to provide the attacker with a PTY shell on the server. The setupshell.sh script automates the process of establishing persistent SSH access by adding an attacker's public key to the victim's authorized_keys, while cleanshell.sh removes these artifacts. The flag_gen.py script is a utility for generating obfuscated flags, likely for CTF or demonstration purposes. The main attack vector is network-based, exploiting the exposed HTTP endpoints. The repository is structured with clear separation between the vulnerable app, payloads, and helper scripts, and demonstrates a full attack chain from initial RCE to persistence and cleanup.

This repository contains a Python proof-of-concept exploit (sap7.4poc.py) targeting SAP systems, likely SAP NetWeaver 7.4 and 7.5, via a vulnerability in the /developmentserver/metadatauploader endpoint. The exploit allows an attacker to upload a specially crafted ZIP file containing a serialized Java payload, which can execute arbitrary commands on the target server. Optionally, the exploit can drop a randomly named JSP webshell for persistent access at /irj/{SHELL_NAME}. The script requires the attacker to specify the target URL and either a command to execute or the --dropshell option. The exploit is operational, providing real remote code execution and webshell deployment capabilities. The repository also includes a README.md with attribution and leak information, but no technical details. No CVE is referenced, but the exploit is described as a 0day. The main attack vector is network-based, requiring access to the SAP server's HTTP interface.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-31324, targeting SAP NetWeaver Visual Composer Metadata Uploader versions 7.50 and below. The main file, CVE-2025-31324.py, is a Python script that uploads a user-specified file to the vulnerable /developmentserver/metadatauploader endpoint on a target SAP NetWeaver server. The script allows the user to specify the protocol (HTTP/HTTPS), remote host, and port. The README.md provides usage instructions, affected versions, and patch guidance. The exploit demonstrates the vulnerability by sending a POST request with the file to the target endpoint, and is intended for educational purposes only. No hardcoded payload is included; the user supplies the file to upload. The attack vector is network-based, requiring access to the target's web interface.

This repository provides a working exploit for CVE-2025-31324, targeting SAP NetWeaver. The main exploit script (CVE-2025-31324.py) is a Python tool that automates the process of identifying open SAP NetWeaver ports on a target host, uploading a malicious JSP webshell (shell.jsp) via the /developmentserver/metadatauploader endpoint, and then searching for the deployed shell at several common paths. The shell.jsp payload is a simple webshell that allows remote command execution via HTTP GET requests. The exploit is operational and provides a real, working payload. The repository also includes a README with usage instructions and Shodan search tips, and a standard GPL license file. The attack vector is network-based, requiring the attacker to reach the SAP NetWeaver instance over HTTP. The exploit is not part of a larger framework and is self-contained.

This repository contains a working exploit for CVE-2025-31324, a vulnerability in SAP NetWeaver Visual Composer's MetadataUploader endpoint. The main file, poc.py, is a Python script that automates the exploitation process. It crafts a ZIP archive containing a malicious JSP web shell (or a test file), uploads it to the vulnerable /developmentserver/metadatauploader endpoint using various form field names and content types, and then probes for successful upload by attempting to access the file via HTTP. If successful, the script provides the attacker with a URL to the uploaded web shell, which allows arbitrary command execution on the target server via HTTP requests. The shell.jsp file is a simple JSP web shell that executes commands passed via the 'cmd' parameter, gated by a password or token. The exploit is operational and demonstrates full compromise of the target if the vulnerability is present and the endpoint is accessible. The repository is structured with a single exploit script and a web shell payload, and is not part of any larger framework.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer's 'Metadata Uploader' component. The main exploit script, 'sap_vc_poc.py', is a comprehensive Python tool that can scan multiple targets for the vulnerability, either by uploading a test payload and checking for an out-of-band (OAST) callback or by uploading a user-specified file (such as a web shell). The tool supports both HTTP and HTTPS, legacy SSL, and various output formats. The included 'helper.jsp' is a simple JSP web shell that allows remote command execution via a 'cmd' parameter. The exploit targets the '/developmentserver/metadatauploader' endpoint and expects uploaded files to be accessible under '/sap/public/bc/webdynpro/sap/public/bc/zmetadata_upload'. The repository is structured with a main Python exploit script, a JSP payload, a requirements file, and documentation. The exploit is operational and can be used to achieve remote code execution on vulnerable SAP NetWeaver Visual Composer instances.

This repository provides a proof-of-concept exploit for CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader. The main exploit script (PoC.py) allows an attacker to upload a malicious WAR or JSP file (such as a reverse shell) to a vulnerable SAP endpoint, and then optionally trigger the payload to gain remote code execution. The EvilPayload directory contains a sample WAR archive with a JSP reverse shell (shell.jsp), and a standalone cache.jsp provides a similar shell. The repository includes helper scripts (checkForEndpoints.sh, scan_visual_composer.sh) to enumerate and brute-force likely vulnerable endpoints. The exploit is network-based, targeting HTTP(S) endpoints on SAP servers. The payloads are written in JSP and provide a reverse shell to the attacker. The repository is structured for ease of use in penetration testing and red teaming against SAP NetWeaver Visual Composer installations vulnerable to CVE-2025-31324.

This repository provides a working exploit for CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader. The main exploit script (PoC.py) allows an attacker to upload arbitrary files (such as a WAR archive or JSP webshell) to vulnerable SAP endpoints, and optionally trigger the uploaded payload to achieve remote code execution. The repository includes: - PoC.py: Python script to automate the upload and trigger process, supporting custom endpoints, hosts, and payloads. - EvilPayload/: Directory containing a sample WAR payload with a JSP reverse shell (shell.jsp) and supporting files (web.xml, MANIFEST.MF, metadata.xml). - cache.jsp: Standalone JSP reverse shell payload. - CheckForEndpoints.sh: Bash script to enumerate and check common SAP Metadata Uploader endpoints for accessibility. - ScanForVisualComposer.sh: Bash script to brute-force likely webshell locations after exploitation. - README.md: Documentation and usage instructions. The exploit is operational and provides a reverse shell to the attacker if successful. It targets SAP NetWeaver Visual Composer instances with the vulnerable Metadata Uploader component exposed. The repository is well-structured, with clear separation between exploit logic, payloads, and helper scripts for endpoint discovery and post-exploitation shell location.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. The main file, 'CVE-2025-31324 .py', is a Python script that allows an attacker to upload arbitrary files to the vulnerable endpoint '/developmentserver/metadatauploader' on a target SAP NetWeaver server. The exploit requires the attacker to provide the target URL and the path to the file to upload. If the server is vulnerable, the file is uploaded without authentication, which could lead to remote code execution if a malicious file is uploaded. The repository also includes a README.md file with usage instructions and a description of the vulnerability. The exploit is straightforward, does not use any framework, and is intended for educational and authorized testing purposes only.