Assessing the security of SAP ecosystems: Access from the SAP Application Layer to the Database

In previous posts we performed security assessments on the Management Console.

For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion. Notice that you will have to download the Instant Client Package – Basic, and then download the Instant Client Package – SQL*Plus.

This way of performing arbitrary queries only works for SAP implementations with Oracle databases (which is the most common configuration in SAP Systems). As seen in a previous post, our sample SAP ecosystem has an Oracle database so we can perform this assessment. If there is an SAP system running on an Oracle database, an eventual attacker is most likely to succeed since it’s based on a default and mandatory trust relationship between the SAP System and the Oracle database.

Continue reading

Share Button