CVE-2016-2386

This exploit demonstrates a time-based SQL injection (CVE-2016-2386) in SAP NetWeaver AS Java UDDI 7.11-7.50, leveraging information disclosure (CVE-2016-2388) to retrieve administrator credentials. It uses a SOAP request to extract password hashes via blind SQLi.

This exploit demonstrates an SQL injection vulnerability in SAP NetWeaver AS JAVA 7.1-7.5 via a crafted SOAP request to the UDDISecurityImplBean endpoint. The PoC injects a malicious SQL query into the permissionId parameter to extract data from the BC_UDV3_EL8EM_KEY table.

The repository contains functional exploit code demonstrating SQL injection in SAP NetWeaver AS JAVA UDDI Component via crafted SOAP requests. The payloads target the `deletePermissionById` method to extract sensitive data.

This repository contains a functional Python script demonstrating a time-based SQL injection (CVE-2016-2386) in SAP NetWeaver AS Java UDDI 7.11-7.50. The exploit leverages a crafted SOAP request to extract sensitive data, including administrator password hashes, and includes detailed technical explanations and payload examples.