🏢 sapsxpg

A Python SAP penetration testing tool for enumerating and executing OS commands via the SXPG_CALL_SYSTEM function module over RFC (Remote Function Call).

sapsxpg connects to a SAP system via RFC, enumerates external OS commands registered in SM49/SM69, and provides an interactive shell to execute them. It auto-detects the remote operating system, caches results locally, and can generate toboggan-compatible RCE proof-of-concept scripts for full shell escalation.

• Command enumeration: lists all OS commands registered in SM49/SM69 accessible to the authenticated user
• Interactive shell: tab-completion, command history, built-in commands (ls, cat, ps, env)
• OS detection: auto-filters commands by remote OS (Linux, Windows, Unix)
• RCE PoC generation: produces a ready-to-use toboggan module from any arbitrary-execution command
• Connection modes: direct RFC connection or load-balanced via SAP Message Server

Tip

If the SAP system has a command that allows arbitrary execution (e.g., ZSH, ZBASH), you can generate a PoC with --rce-poc and plug it into toboggan for a full semi-interactive shell.

⚙️ Prerequisite

The NWRFCSDK is proprietary SAP software. It requires an S-User account and specific permissions to download. Since SAP owns the intellectual property, it cannot be published or included inside this repository.

1. Visit the SAP Support Portal.
2. Download the appropriate version for your operating system.
3. Follow the installation guide.

If you already have nwrfcsdk dropped somewhere on your system, you can locate and export the mandatory variables:

NWRFCSDK_PATH=$(find /opt /home /usr/local /srv -type d -path "*/nwrfcsdk" -print -quit 2>/dev/null | head -1)
export SAPNWRFC_HOME=$NWRFCSDK_PATH
export LD_LIBRARY_PATH="$NWRFCSDK_PATH/lib:"

Note

pyrfc is not declared as a hard dependency because it requires the proprietary NWRFCSDK to build. You must install it separately after setting up the SDK.

📦 Installation

Prefer using uv, a fast Python package manager that installs tools in isolated environments. Alternatively, pipx or pip work as well.

With uv (recommended)

uv tool install persistently installs the tool and adds it to your PATH, similar to pipx:

uv tool install git+https://github.com/n3rada/sapsxpg.git --with pyrfc==3.3.1

After installation, sapsxpg is available directly:

sapsxpg --help

To upgrade later:

uv tool upgrade sapsxpg

Tip

You can also run sapsxpg without installing it using uvx (alias for uv tool run), which creates a temporary isolated environment on the fly:

uvx --from git+https://github.com/n3rada/sapsxpg.git --with pyrfc==3.3.1 sapsxpg --help

With pipx or pip

pipx install 'git+https://github.com/n3rada/sapsxpg.git'
pipx inject sapsxpg pyrfc==3.3.1

pip install 'git+https://github.com/n3rada/sapsxpg.git'
pip install pyrfc==3.3.1

🧸 Usage

sapsxpg <target> <username> <password> [options]

⚡ Quickstart

# Direct connection (default system number 00, client 500)
sapsxpg sap-server.example.com SAPUSER 'P@ssw0rd!'

# Custom client and system number
sapsxpg sap-server.example.com SAPUSER 'P@ssw0rd!' -c 100 -s 01

# Load-balanced connection via Message Server
sapsxpg sap-server.example.com SAPUSER 'P@ssw0rd!' -m msgserver -r PRD -g PUBLIC

🔗 Connection Modes

Flag	Description
-c, --client	SAP client number (default: 500)
-s, --sysnr	System number for direct connection (default: 00)
-m, --mshost	Message server hostname (load-balanced mode)
-r, --r3name	SAP system ID, required with -m
-g, --group	Logon group, required with -m
-t, --timeout	Connection timeout in seconds (default: 30)
--no-trace	Disable SAP RFC trace logging
--os	Force OS filter: linux, windows, unix, all, anyos

🔍 Interactive Shell

Once connected, sapsxpg drops you into an interactive shell with tab completion and command history. The shell supports:

• Built-in commands: ls, cat, ps, env
• SAP-registered commands: any command registered in SM49/SM69
• Help: type h, help, or ? to list all available commands

The tool auto-detects the remote OS and filters commands accordingly. Results are cached locally for faster subsequent sessions.

🎯 RCE Proof of Concept

Generate a toboggan-compatible RCE module from any SAP command that allows execution:

sapsxpg sap-server.example.com SAPUSER 'P@ssw0rd!' --rce-poc ZSH

This produces a poc_sap-server.example.com_ZSH.py file. Plug it into toboggan for a full semi-interactive shell:

toboggan poc_sap-server.example.com_ZSH.py

Note

The generated PoC handles the 128-character argument limit of SXPG_CALL_SYSTEM by base64-encoding the command and using ${IFS} for space substitution.

⚠️ Disclaimer

This tool is provided strictly for defensive security research, education, and authorized penetration testing. You must have explicit written authorization before running this software against any system you do not own.

Acceptable environments include:

• Private lab environments you control (local VMs, isolated networks).
• Sanctioned learning platforms (CTFs, Hack The Box, OffSec exam scenarios).
• Formal penetration-test or red-team engagements with documented customer consent.

Misuse of this project may result in legal action.

⚖️ Legal Notice

Any unauthorized use of this tool in real-world environments or against systems without explicit permission from the system owner is strictly prohibited and may violate legal and ethical standards. The creators and contributors of this tool are not responsible for any misuse or damage caused.

Use responsibly and ethically. Always respect the law and obtain proper authorization.