Ejemplo n.º 1
0
        static void FuzzSoapPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':') [1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);

                string        url           = _endpoint;
                SoapOperation po            = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input         = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':') [1]);
                XNamespace    soapNS        = "http://schemas.xmlsoap.org/soap/envelope/";
                XNamespace    xmlNS         = op.SoapAction.Replace(op.Name, string.Empty);
                XElement      soapBody      = new XElement(soapNS + "Body");
                XElement      soapOperation = new XElement(xmlNS + op.Name);

                soapBody.Add(soapOperation);

                List <Guid> paramList = new List <Guid> ();
                SoapType    type      = _wsdl.Types.Single(t => t.Name == input.Parts [0].Element.Split(':') [1]);
                foreach (SoapTypeParameter param in type.Parameters)
                {
                    XElement soapParam = new XElement(xmlNS + param.Name);

                    if (param.Type.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        paramList.Add(guid);
                        soapParam.SetValue(guid.ToString());
                    }
                    soapOperation.Add(soapParam);
                }


                XDocument soapDoc = new XDocument(new XDeclaration("1.0", "utf-16", "true"),
                                                  new XElement(soapNS + "Envelope",
                                                               new XAttribute(XNamespace.Xmlns + "soap", soapNS),
                                                               new XAttribute("xmlns", xmlNS),
                                                               soapBody));

                int k = 0;
                foreach (Guid parm in paramList)
                {
                    string testSoap = soapDoc.ToString().Replace(parm.ToString(), "fd'sa");
                    byte[] data     = System.Text.Encoding.ASCII.GetBytes(testSoap);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                    req.Headers ["SOAPAction"] = op.SoapAction;
                    req.Method        = "POST";
                    req.ContentType   = "text/xml";
                    req.ContentLength = data.Length;
                    req.GetRequestStream().Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + type.Parameters [k].Name);
                            TestPostRequestWithSqlmap(_endpoint, soapDoc.ToString(), op.SoapAction, parm.ToString());
                        }
                    }
                    k++;
                }
            }
        }
Ejemplo n.º 2
0
        static void FuzzHttpPostPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':') [1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);

                string        url   = _endpoint + op.Location;
                SoapOperation po    = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':') [1]);
                Dictionary <string, string> parameters = new Dictionary <string, string> ();

                foreach (SoapMessagePart part in input.Parts)
                {
                    parameters.Add(part.Name, part.Type);
                }

                string      postParams = string.Empty;
                bool        first      = true;
                List <Guid> guids      = new List <Guid> ();
                foreach (var param in parameters)
                {
                    if (param.Value.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        postParams += (first ? "" : "&") + param.Key + "=" + guid.ToString();
                        guids.Add(guid);
                    }
                    if (first)
                    {
                        first = false;
                    }
                }

                int k = 0;
                foreach (Guid guid in guids)
                {
                    string testParams = postParams.Replace(guid.ToString(), "fd'sa");
                    byte[] data       = System.Text.Encoding.ASCII.GetBytes(testParams);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                    req.Method        = "POST";
                    req.ContentType   = "application/x-www-form-urlencoded";
                    req.ContentLength = data.Length;
                    req.GetRequestStream().Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                            TestPostRequestWithSqlmap(url, testParams, null, guid.ToString());
                        }
                    }
                    k++;
                }
            }
        }