This article details the analysis of a malicious exploit script targeting CVE-2025–31324 in SAP NetWeaver, which automates the upload of web shells for remote code execution. The script uses obfuscation techniques and interfaces with the vulnerable metadata uploader endpoint, highlighting detection and mitigation strategies. #SHINYHUNTERS #CVE2025-31324
Keypoints
- The exploit script targets a critical SAP vulnerability allowing unauthenticated file uploads via /developmentserver/metadatauploader.
- It constructs multipart/form-data HTTP POST requests to upload JSP web shells, often obfuscated with Base64 encoding.
- In exploit mode, it uploads a web shell that can execute system commands remotely, leading to possible system compromise.
- The script includes mechanisms for vulnerability testing through Java deserialization payloads utilizing OAST callbacks.
- Detection involves monitoring abnormal POST requests, suspicious JSP files, and unexpected server processes executing commands.