Exemple #1
0
        static void FuzzSoapPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':')[1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operations: " + op.Name);
                SoapOperation po    = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':')[1]);

                XNamespace soapNS        = "http://schemas.xmlsoap.org/soap/envelope/";
                XNamespace xmlNS         = op.SoapAction.Replace(op.Name, string.Empty);
                XElement   soapBody      = new XElement(soapNS + "Body");
                XElement   soapOperation = new XElement(xmlNS + op.Name);

                soapBody.Add(soapOperation);

                List <Guid> paramList = new List <Guid>();
                SoapType    type      = _wsdl.Types.Single(t => t.Name == input.Parts[0].Element.Split(':')[1]);
                foreach (SoapTypeParameter param in type.Parameters)
                {
                    XElement soapParam = new XElement(xmlNS + param.Name);
                    if (param.Type.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        paramList.Add(guid);
                        soapParam.SetValue(guid.ToString());
                    }
                    soapOperation.Add(soapParam);
                }
                XDocument soapDoc = new XDocument(new XDeclaration("1.0", "ascii", "true"),
                                                  new XElement(soapNS + "Envelope",
                                                               new XAttribute(XNamespace.Xmlns + "soap", soapNS),
                                                               new XAttribute("xmlns", xmlNS),
                                                               soapBody));
                int k = 0;
                foreach (Guid parm in paramList)
                {
                    string         testSoap = soapDoc.ToString().Replace(parm.ToString(), "fd'sa");
                    byte[]         data     = System.Text.Encoding.ASCII.GetBytes(testSoap);
                    HttpWebRequest req      = (HttpWebRequest)WebRequest.CreateHttp(_endpoint);
                    req.Headers["SOAPAction"] = op.SoapAction;
                    req.Method        = "POST";
                    req.ContentType   = "text/xml";
                    req.ContentLength = data.Length;
                    using (Stream stream = req.GetRequestStream())
                        stream.Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try
                    {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    }
                    catch (WebException ex)
                    {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injectionv ector in parameter: ");
                        }
                        Console.Write(type.Parameters[k].Name);
                    }
                    k++;
                }
            }
        }
Exemple #2
0
        static void FuzzHttpPostPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':')[1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);
                string        url   = _endpoint + op.Location;
                SoapOperation po    = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':')[1]);
                Dictionary <string, string> parameters = new Dictionary <string, string>();

                foreach (SoapMessagePart part in input.Parts)
                {
                    parameters.Add(part.Name, part.Type);
                }
                string      postParams = string.Empty;
                bool        first      = true;
                List <Guid> guids      = new List <Guid>();
                foreach (var param in parameters)
                {
                    if (param.Value.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        postParams += (first ? "" : "&") + param.Key + "=" + guid.ToString();
                        guids.Add(guid);
                    }
                    if (first)
                    {
                        first = false;
                    }
                }
                int k = 0;
                foreach (Guid guid in guids)
                {
                    string testParams = postParams.Replace(guid.ToString(), "fd'sa");
                    byte[] data       = System.Text.Encoding.ASCII.GetBytes(testParams);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.CreateHttp(url);
                    req.Method        = "POST";
                    req.ContentType   = "application/x-www-form-urlencoded";
                    req.ContentLength = data.Length;
                    req.GetRequestStream().Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try
                    {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    }
                    catch (WebException ex)
                    {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts[k].Name);
                        }
                    }
                    k++;
                }
            }
        }