CVEs-PoC/2016/CVE-2016-6144.md

### [CVE-2016-6144](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6144)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869.

### POC

#### Reference
- http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html
- https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components

#### Github
- https://github.com/lmkalg/my_cves