static void FuzzHttpPostPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where(pt => pt.Name == binding.Type.Split(':') [1]).Single();
foreach (SoapBindingOperation op in binding.Operations)
{
Console.WriteLine("Fuzzing operation: " + op.Name);
string url = _endpoint + op.Location;
SoapOperation po = portType.Operations.Where(p => p.Name == op.Name).Single();
SoapMessage input = _wsdl.Messages.Where(m => m.Name == po.Input.Split(':') [1]).Single();
Dictionary <string, string> parameters = new Dictionary <string, string> ();
foreach (SoapPart part in input.Parts)
{
parameters.Add(part.Name, part.Type);
}
string postParams = string.Empty;
bool first = true;
int i = 0;
foreach (var param in parameters)
{
if (param.Value.EndsWith("string"))
{
postParams += (first ? "" : "&") + param.Key + "=fds" + i++;
}
if (first)
{
first = false;
}
}
for (int k = 0; k <= i; k++)
{
string testParams = postParams.Replace("fds" + k, "fd'sa");
byte[] data = System.Text.Encoding.ASCII.GetBytes(testParams);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "POST";
req.ContentType = "application/x-www-form-urlencoded";
req.ContentLength = data.Length;
req.GetRequestStream().Write(data, 0, data.Length);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd();
if (resp.Contains("syntax error"))
{
Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
}
}
}
}
}
static void FuzzHttpGetPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();
List<string> vulnUrls = new List<string> ();
foreach (SoapBindingOperation op in binding.Operations) {
Console.WriteLine ("Fuzzing operation: " + op.Name);
string url = _endpoint + op.Location;
SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();
Dictionary<string, string> parameters = new Dictionary<string, string> ();
foreach (SoapPart part in input.Parts) {
parameters.Add (part.Name, part.Type);
}
bool first = true;
int i = 0;
foreach (var param in parameters) {
if (param.Value.EndsWith ("string"))
url += (first ? "?" : "&") + param.Key + "=fds" + i++;
if (first)
first = false;
}
Console.WriteLine ("Fuzzing full url: " + url);
for (int k = 0; k <= i; k++) {
string testUrl = url.Replace ("fds" + k, "fd'sa");
HttpWebRequest req = (HttpWebRequest)WebRequest.Create (testUrl);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd ();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd ();
if (resp.Contains ("syntax error")) {
if (!vulnUrls.Contains (url))
vulnUrls.Add (url);
Console.WriteLine ("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
}
}
}
}
foreach (string url in vulnUrls) {
//TestGetRequestWithSqlmap(url);
}
}
static void FuzzHttpPort(SoapBinding binding)
{
if (binding.Verb == "GET")
{
FuzzHttpGetPort(binding);
}
else if (binding.Verb == "POST")
{
FuzzHttpPostPort(binding);
}
else
{
throw new Exception("Don't know verb: " + binding.Verb);
}
}
static void FuzzService(SoapService service)
{
Console.WriteLine("Fuzzing service: " + service.Name);
foreach (SoapPort port in service.Ports)
{
Console.WriteLine("Fuzzing " + port.ElementType.Split(':') [0] + " port: " + port.Name);
SoapBinding binding = _wsdl.Bindings.Where(b => b.Name == port.Binding.Split(':') [1]).Single();
if (binding.IsHTTP)
{
FuzzHttpPort(binding);
}
else
{
FuzzSoapPort(binding);
}
}
}
static void FuzzSoapPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where(pt => pt.Name == binding.Type.Split(':') [1]).Single();
foreach (SoapBindingOperation op in binding.Operations)
{
Console.WriteLine("Fuzzing operation: " + op.Name);
string url = _endpoint;
SoapOperation po = portType.Operations.Where(p => p.Name == op.Name).Single();
SoapMessage input = _wsdl.Messages.Where(m => m.Name == po.Input.Split(':') [1]).Single();
string soap = "<?xml version=\"1.0\" encoding=\"utf-16\"?>";
soap += "<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
soap += " xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"";
soap += " xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">";
soap += "<soap:Body>";
soap += "<" + op.Name + " xmlns=\"" + op.SoapAction.Replace(op.Name, string.Empty) + "\">";
int i = 0;
SoapType type = null; //this is cheating, assumes only one part
foreach (SoapPart part in input.Parts)
{
type = _wsdl.Types.Where(t => t.Name == part.Element.Split(':') [1]).Single();
foreach (SoapTypeParameter param in type.Parameters)
{
soap += "<" + param.Name + ">";
if (param.Type.EndsWith("string"))
{
soap += "fds" + i++;
}
soap += "</" + param.Name + ">";
}
}
soap += "</" + op.Name + ">";
soap += "</soap:Body>";
soap += "</soap:Envelope>";
Dictionary <string, string> vulnValues = new Dictionary <string, string>();
for (int k = 0; k <= i; k++)
{
string testSoap = soap.Replace("fds" + k, "fd'sa");
byte[] data = System.Text.Encoding.ASCII.GetBytes(testSoap);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.Headers ["SOAPAction"] = op.SoapAction;
req.Method = "POST";
req.ContentType = "text/xml";
req.ContentLength = data.Length;
req.GetRequestStream().Write(data, 0, data.Length);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd();
if (resp.Contains("syntax error"))
{
vulnValues.Add("fds" + k, op.SoapAction);
Console.WriteLine("Possible SQL injection vector in parameter: " + type.Parameters [k].Name);
}
}
}
//foreach (var pair in vulnValues)
//TestPostRequestWithSqlmap(_endpoint, soap, pair.Value, pair.Key);
}
}
static void FuzzHttpGetPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where(pt => pt.Name == binding.Type.Split(':') [1]).Single();
List <string> vulnUrls = new List <string> ();
foreach (SoapBindingOperation op in binding.Operations)
{
Console.WriteLine("Fuzzing operation: " + op.Name);
string url = _endpoint + op.Location;
SoapOperation po = portType.Operations.Where(p => p.Name == op.Name).Single();
SoapMessage input = _wsdl.Messages.Where(m => m.Name == po.Input.Split(':') [1]).Single();
Dictionary <string, string> parameters = new Dictionary <string, string> ();
foreach (SoapPart part in input.Parts)
{
parameters.Add(part.Name, part.Type);
}
bool first = true;
int i = 0;
foreach (var param in parameters)
{
if (param.Value.EndsWith("string"))
{
url += (first ? "?" : "&") + param.Key + "=fds" + i++;
}
if (first)
{
first = false;
}
}
Console.WriteLine("Fuzzing full url: " + url);
for (int k = 0; k <= i; k++)
{
string testUrl = url.Replace("fds" + k, "fd'sa");
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(testUrl);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd();
if (resp.Contains("syntax error"))
{
if (!vulnUrls.Contains(url))
{
vulnUrls.Add(url);
}
Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
}
}
}
}
foreach (string url in vulnUrls)
{
//TestGetRequestWithSqlmap(url);
}
}
static void FuzzHttpPort(SoapBinding binding)
{
if (binding.Verb == "GET")
FuzzHttpGetPort (binding);
else if (binding.Verb == "POST")
FuzzHttpPostPort (binding);
else
throw new Exception ("Don't know verb: " + binding.Verb);
}
static void FuzzSoapPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();
foreach (SoapBindingOperation op in binding.Operations) {
Console.WriteLine ("Fuzzing operation: " + op.Name);
string url = _endpoint;
SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();
string soap = "<?xml version=\"1.0\" encoding=\"utf-16\"?>";
soap += "<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
soap += " xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"";
soap += " xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">";
soap += "<soap:Body>";
soap += "<" + op.Name + " xmlns=\"" + op.SoapAction.Replace (op.Name, string.Empty) + "\">";
int i = 0;
SoapType type = null; //this is cheating, assumes only one part
foreach (SoapPart part in input.Parts) {
type = _wsdl.Types.Where (t => t.Name == part.Element.Split (':') [1]).Single ();
foreach (SoapTypeParameter param in type.Parameters) {
soap += "<" + param.Name + ">";
if (param.Type.EndsWith ("string"))
soap += "fds" + i++;
soap += "</" + param.Name + ">";
}
}
soap += "</" + op.Name + ">";
soap += "</soap:Body>";
soap += "</soap:Envelope>";
Dictionary<string, string> vulnValues = new Dictionary<string, string>();
for (int k = 0; k <= i; k++) {
string testSoap = soap.Replace ("fds" + k, "fd'sa");
byte[] data = System.Text.Encoding.ASCII.GetBytes (testSoap);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create (url);
req.Headers ["SOAPAction"] = op.SoapAction;
req.Method = "POST";
req.ContentType = "text/xml";
req.ContentLength = data.Length;
req.GetRequestStream ().Write (data, 0, data.Length);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd ();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd ();
if (resp.Contains ("syntax error"))
{
vulnValues.Add("fds" + k, op.SoapAction);
Console.WriteLine ("Possible SQL injection vector in parameter: " + type.Parameters [k].Name);
}
}
}
//foreach (var pair in vulnValues)
//TestPostRequestWithSqlmap(_endpoint, soap, pair.Value, pair.Key);
}
}
static void FuzzHttpPostPort(SoapBinding binding)
{
SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();
foreach (SoapBindingOperation op in binding.Operations) {
Console.WriteLine ("Fuzzing operation: " + op.Name);
string url = _endpoint + op.Location;
SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();
Dictionary<string, string> parameters = new Dictionary<string, string> ();
foreach (SoapPart part in input.Parts) {
parameters.Add (part.Name, part.Type);
}
string postParams = string.Empty;
bool first = true;
int i = 0;
foreach (var param in parameters) {
if (param.Value.EndsWith ("string"))
postParams += (first ? "" : "&") + param.Key + "=fds" + i++;
if (first)
first = false;
}
for (int k = 0; k <= i; k++) {
string testParams = postParams.Replace ("fds" + k, "fd'sa");
byte[] data = System.Text.Encoding.ASCII.GetBytes (testParams);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create (url);
req.Method = "POST";
req.ContentType = "application/x-www-form-urlencoded";
req.ContentLength = data.Length;
req.GetRequestStream ().Write (data, 0, data.Length);
string resp = string.Empty;
try {
using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
resp = rdr.ReadToEnd ();
} catch (WebException ex) {
using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
resp = rdr.ReadToEnd ();
if (resp.Contains ("syntax error"))
Console.WriteLine ("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
}
}
}
}