Challenge 1: delete a worker in Dynamics AX “7” aka “Dynamics 365 for Operations” in the table browser
Create a worker under Human resources > Workers > Employees. Now try to delete it. If you ever touched the Project setup settings etc of the employee, a message appears announcing that a “
Solution: open the System Table Browser and delete the ResResourceIdentifier record by the RecId of the work center.
The table browser may be opened in the Visual Studio environment but it is just a URL that can be called in a browser as well. You just have to know the exact name of the table to do so: https://XXXaos.cloudax.dynamics.com/?mi=SysTableBrowser&tableName=ResResourceIdentifier
It’s a pity that the precious SQL injection window where in previous versions of Dynamics AX you were able to execute delete_from and update_recordset statements is not presented anymore; a real loss indeed.
Challenge 2: execute an arbitrary X++ class in Dynamics AX “7” aka “Dynamics 365 for Operations”
In AX7 there are no more “jobs” to be executed at once on Ctrl-O, but a replacement exists: runnable classes as described here: https://blogs.msdn.microsoft.com/axsupport/2016/03/23/get-started-developing-in-ax-7/
When executing a runnable class from Visual Studio the form SysClassRunner is called. This form parses the URL for the cls parameter and executes the respective class. You just need to know the URL syntax and the exact class name.
Let’s start with something harmless: https://XXXaos.cloudax.dynamics.com/?mi=SysClassRunner&cls=SysDBInformation
Now you can try to drop all transactional, non-master data in your production database: https://XXXaos.cloudax.dynamics.com/?mi=SysClassRunner&cls=SysDatabaseTransDelete