Another fun attack that willis and I found during our SAP BusinessObjects research is that we could do internal port scanning by using Crystal Reports.
The way this works is that when you browse to a Crystal Reports web application (http://hostname/CrystalReports/viewrpt.cwr) there are a few parameters which are used to communicate with the SAP services on the backend. The problem here is that these parameters are controlled by the user. Now a better way to do this is to provide a drop-down list or make all the configurations done by the server.
Now the user can modify the IP and port which the web application is trying to communicate with on the backend. By default the port is 6400. Now the ability to modify the IP and port is good. The next step is to map the responses to open and closed so that we could programmatically map out the internal network.
Here are a few nice Google Dorks:
Here is the resulting mapping :
Port Open Response:
# Unable to open a socket to talk to CMS $HOSTNAME:445 (FWM 01005)
Port Closed Response :
# Server $HOSTNAME:80 not found or server may be down (FWM 01003)