ABAP

Here you find some more or less useful ABAPs. If not useful at least they are funny…

My ABAP code is under the GPL license. Click here to get a copy.

Getting a little more authorizations

There are several programs in the internet to get SAP* authorizations.
Here you find my own version.
The nice thing is that it does not change the user profile, but only the user buffer for authorization. So it is invisible to most programs checking users for critical authorizations.

Enhancing “existing programs” to allow dictionary password checking

There are cute program on the internet that implement a kind of dictionary password checking.

This was fine until something changed in the SAP kernel. Now the calls to check_pass are somehow checked, with the result that if they are called from a Z or Y program the user is locked and kicked out of the system, all other reports are tentatively fooled with strange data i don’t understand.. This is a bit hard a treatement for a poor sysadmin trying to get his users to choose reasonable passwords.

One argument could be that there is a very nice system to specify patterns for forbidden passwords in some table somehwere, so that users cannot choose these password. So there is no need to call the password hashing code directly. And this is true, but it is far less powerful than the good old Unix crack.

So one could want to do it anyway. And here is a “simple” way to do it.

Just copy the coding in check_pass to another form and call this form “externally” from the form set_new_pass or check_pass. And voila’ it works and you can get all password hashes that you want. It seems that the xxpass code looks at the call stack… changing the call stack seems to be the trick. Here is an example:

 

*---------------------------------------------------------------------*

*       FORM SET_NEW_PASS                                             *

*---------------------------------------------------------------------*

* Passwort neu setzen.                                                *

*                                                                     *

*---------------------------------------------------------------------*

FORM SET_NEW_PASS USING USER NEWCODE NEWCODE1 RC.

  perform do_it in program SAPMS01J USING USER NEWCODE NEWCODE1 RC.

ENDFORM.

 

form do_it USING USER NEWCODE NEWCODE1 RC.

  SELECT SINGLE * FROM USR02

         WHERE BNAME = USER.

  IF SY-SUBRC <> 0.

    RC = 274.

*   message e274 with user.

  ENDIF.

  SY-SUBRC = 0.

  MOVE-CORRESPONDING  USR02 TO  *USR02.   " note 154401/2

  PERFORM SHIFT_OLD_PASS.

  CALL 'XXPASS'

       ID 'CODE'     FIELD NEWCODE

       ID 'CODX'     FIELD USR02-BCODE

       ID 'NAME'     FIELD USR02-BNAME

       ID 'VERS'     FIELD USR02-CODVN

       ID 'PASSCODE' FIELD USR02-PASSCODE. "new as of 6.20

  CLEAR USR02-LTIME.

  UPDATE USR02.

  IF SY-SUBRC <> 0.

    RC = 297.

*   message s297.

  ELSE.

    PERFORM WRITE_USH02.

  ENDIF.

  RC = 0.

* message s277 with user.

endform.

 

 

The same works with check_pass in the same include. An easy way to get the modified version of MS01JF10 into your system could be using the include uploader

Here is the whole include:

R3TR PROG MS01JF10

Open the client to allow customizing changes

Change table T000 in direct input

Read/write files from the file system of a application server

Get a file from the application servers file system

Put a file onto the application servers file system

Load an include into any system via upload

Upload include: overwrites the include

 

 

 

 

Home

Copyright © 2005 Krapinskij
Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice, and the copyright notice, are preserved.
Last update
28/10/2005 14:58

 

 

 

Hosted by www.Geocities.ws

1