Exemplo n.º 1
0
        static void FuzzHttpGetPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':') [1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);

                string        url   = _endpoint + op.Location;
                SoapOperation po    = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':') [1]);

                Dictionary <string, string> parameters = new Dictionary <string, string> ();
                foreach (SoapMessagePart part in input.Parts)
                {
                    parameters.Add(part.Name, part.Type);
                }

                bool        first    = true;
                List <Guid> guidList = new List <Guid> ();
                foreach (var param in parameters)
                {
                    if (param.Value.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        guidList.Add(guid);
                        url += (first ? "?" : "&") + param.Key + "=" + guid.ToString();
                    }
                    if (first)
                    {
                        first = false;
                    }
                }

                Console.WriteLine("Fuzzing full url: " + url);

                int k = 0;
                foreach (Guid guid in guidList)
                {
                    string         testUrl = url.Replace(guid.ToString(), "fd'sa");
                    HttpWebRequest req     = (HttpWebRequest)WebRequest.Create(testUrl);
                    string         resp    = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                        }
                    }
                    k++;
                }
            }
        }
Exemplo n.º 2
0
        static void FuzzHttpGetPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();
            List<string> vulnUrls = new List<string> ();
            foreach (SoapBindingOperation op in binding.Operations) {
                Console.WriteLine ("Fuzzing operation: " + op.Name);

                string url = _endpoint + op.Location;
                SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
                SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();

                Dictionary<string, string> parameters = new Dictionary<string, string> ();
                foreach (SoapMessagePart part in input.Parts) {
                    parameters.Add (part.Name, part.Type);
                }

                bool first = true;
                int i = 0;
                foreach (var param in parameters) {
                    if (param.Value.EndsWith ("string"))
                        url += (first ? "?" : "&") + param.Key + "=fds" + i++;
                    if (first)
                        first = false;
                }

                Console.WriteLine ("Fuzzing full url: " + url);

                for (int k = 0; k <= i; k++) {
                    string testUrl = url.Replace ("fds" + k, "fd'sa");
                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create (testUrl);
                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd ();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd ();

                        if (resp.Contains ("syntax error")) {
                            if (!vulnUrls.Contains (url))
                                vulnUrls.Add (url);

                            Console.WriteLine ("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                        }
                    }
                }
            }

            foreach (string url in vulnUrls)
                TestGetRequestWithSqlmap(url);
        }
Exemplo n.º 3
0
 static void FuzzHttpPort(SoapBinding binding)
 {
     if (binding.Verb == "GET")
     {
         FuzzHttpGetPort(binding);
     }
     else if (binding.Verb == "POST")
     {
         FuzzHttpPostPort(binding);
     }
     else
     {
         throw new Exception("Don't know verb: " + binding.Verb);
     }
 }
Exemplo n.º 4
0
        static void FuzzHttpGetPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single (pt => pt.Name == binding.Type.Split (':') [1]);
            foreach (SoapBindingOperation op in binding.Operations) {
                Console.WriteLine ("Fuzzing operation: " + op.Name);

                string url = _endpoint + op.Location;
                SoapOperation po = portType.Operations.Single (p => p.Name == op.Name);
                SoapMessage input = _wsdl.Messages.Single (m => m.Name == po.Input.Split (':') [1]);

                Dictionary<string, string> parameters = new Dictionary<string, string> ();
                foreach (SoapMessagePart part in input.Parts)
                    parameters.Add (part.Name, part.Type);

                bool first = true;
                List<Guid> guidList = new List<Guid> ();
                foreach (var param in parameters) {
                    if (param.Value.EndsWith ("string")) {
                        Guid guid = Guid.NewGuid ();
                        guidList.Add (guid);
                        url += (first ? "?" : "&") + param.Key + "=" + guid.ToString();
                    }
                    if (first)
                        first = false;
                }

                Console.WriteLine ("Fuzzing full url: " + url);

                int k = 0;
                foreach(Guid guid in guidList) {
                    string testUrl = url.Replace (guid.ToString(), "fd'sa");
                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create (testUrl);
                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader (req.GetResponse ().GetResponseStream ()))
                            resp = rdr.ReadToEnd ();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader (ex.Response.GetResponseStream ()))
                            resp = rdr.ReadToEnd ();

                        if (resp.Contains ("syntax error"))
                            Console.WriteLine ("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                    }
                    k++;
                }
            }
        }
Exemplo n.º 5
0
        static void FuzzService(SoapService service)
        {
            Console.WriteLine("Fuzzing service: " + service.Name);

            foreach (SoapPort port in service.Ports)
            {
                Console.WriteLine("Fuzzing " + port.ElementType.Split(':') [0] + " port: " + port.Name);
                SoapBinding binding = _wsdl.Bindings.Single(b => b.Name == port.Binding.Split(':') [1]);

                if (binding.IsHTTP)
                {
                    FuzzHttpPort(binding);
                }
                else
                {
                    FuzzSoapPort(binding);
                }
            }
        }
Exemplo n.º 6
0
        static void FuzzSoapPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':') [1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);

                string        url           = _endpoint;
                SoapOperation po            = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input         = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':') [1]);
                XNamespace    soapNS        = "http://schemas.xmlsoap.org/soap/envelope/";
                XNamespace    xmlNS         = op.SoapAction.Replace(op.Name, string.Empty);
                XElement      soapBody      = new XElement(soapNS + "Body");
                XElement      soapOperation = new XElement(xmlNS + op.Name);

                soapBody.Add(soapOperation);

                List <Guid> paramList = new List <Guid> ();
                SoapType    type      = _wsdl.Types.Single(t => t.Name == input.Parts [0].Element.Split(':') [1]);
                foreach (SoapTypeParameter param in type.Parameters)
                {
                    XElement soapParam = new XElement(xmlNS + param.Name);

                    if (param.Type.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        paramList.Add(guid);
                        soapParam.SetValue(guid.ToString());
                    }
                    soapOperation.Add(soapParam);
                }


                XDocument soapDoc = new XDocument(new XDeclaration("1.0", "utf-16", "true"),
                                                  new XElement(soapNS + "Envelope",
                                                               new XAttribute(XNamespace.Xmlns + "soap", soapNS),
                                                               new XAttribute("xmlns", xmlNS),
                                                               soapBody));
                int k = 0;
                foreach (Guid parm in paramList)
                {
                    string testSoap = soapDoc.ToString().Replace(parm.ToString(), "fd'sa");
                    byte[] data     = System.Text.Encoding.ASCII.GetBytes(testSoap);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                    req.Headers ["SOAPAction"] = op.SoapAction;
                    req.Method        = "POST";
                    req.ContentType   = "text/xml";
                    req.ContentLength = data.Length;
                    req.GetRequestStream().Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + type.Parameters [k].Name);
                        }
                    }
                    k++;
                }
            }
        }
Exemplo n.º 7
0
        static void FuzzHttpPostPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single(pt => pt.Name == binding.Type.Split(':') [1]);

            foreach (SoapBindingOperation op in binding.Operations)
            {
                Console.WriteLine("Fuzzing operation: " + op.Name);

                string        url   = _endpoint + op.Location;
                SoapOperation po    = portType.Operations.Single(p => p.Name == op.Name);
                SoapMessage   input = _wsdl.Messages.Single(m => m.Name == po.Input.Split(':') [1]);
                Dictionary <string, string> parameters = new Dictionary <string, string> ();

                foreach (SoapMessagePart part in input.Parts)
                {
                    parameters.Add(part.Name, part.Type);
                }

                string      postParams = string.Empty;
                bool        first      = true;
                List <Guid> guids      = new List <Guid> ();
                foreach (var param in parameters)
                {
                    if (param.Value.EndsWith("string"))
                    {
                        Guid guid = Guid.NewGuid();
                        postParams += (first ? "" : "&") + param.Key + "=" + guid.ToString();
                        guids.Add(guid);
                    }
                    if (first)
                    {
                        first = false;
                    }
                }

                int k = 0;
                foreach (Guid guid in guids)
                {
                    string testParams = postParams.Replace(guid.ToString(), "fd'sa");
                    byte[] data       = System.Text.Encoding.ASCII.GetBytes(testParams);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                    req.Method        = "POST";
                    req.ContentType   = "application/x-www-form-urlencoded";
                    req.ContentLength = data.Length;
                    req.GetRequestStream().Write(data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd();

                        if (resp.Contains("syntax error"))
                        {
                            Console.WriteLine("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                        }
                    }
                    k++;
                }
            }
        }
Exemplo n.º 8
0
 static void FuzzHttpPort(SoapBinding binding)
 {
     if (binding.Verb == "GET")
         FuzzHttpGetPort (binding);
     else if (binding.Verb == "POST")
         FuzzHttpPostPort (binding);
     else
         throw new Exception ("Don't know verb: " + binding.Verb);
 }
Exemplo n.º 9
0
        static void FuzzSoapPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();

            foreach (SoapBindingOperation op in binding.Operations) {
                Console.WriteLine ("Fuzzing operation: " + op.Name);

                string url = _endpoint;
                SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
                SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();
                string soap = "<?xml version=\"1.0\" encoding=\"utf-16\"?>";
                soap += "<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
                soap += " xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"";
                soap += " xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">";
                soap += "<soap:Body>";
                soap += "<" + op.Name + " xmlns=\"" + op.SoapAction.Replace (op.Name, string.Empty) + "\">";
                int i = 0;
                SoapType type = null; //this is cheating, assumes only one part

                foreach (SoapMessagePart part in input.Parts) {
                    type = _wsdl.Types.Where (t => t.Name == part.Element.Split (':') [1]).Single ();
                    foreach (SoapTypeParameter param in type.Parameters) {
                        soap += "<" + param.Name + ">";
                        if (param.Type.EndsWith ("string"))
                            soap += "fds" + i++;
                        soap += "</" + param.Name + ">";
                    }
                }

                soap += "</" + op.Name + ">";
                soap += "</soap:Body>";
                soap += "</soap:Envelope>";

                Dictionary<string, string> vulnValues = new Dictionary<string, string>();
                for (int k = 0; k <= i; k++) {
                    string testSoap = soap.Replace ("fds" + k, "fd'sa");
                    byte[] data = System.Text.Encoding.ASCII.GetBytes (testSoap);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create (url);
                    req.Headers ["SOAPAction"] = op.SoapAction;
                    req.Method = "POST";
                    req.ContentType = "text/xml";
                    req.ContentLength = data.Length;
                    req.GetRequestStream ().Write (data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd ();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd ();

                        if (resp.Contains ("syntax error"))
                        {
                            vulnValues.Add("fds" + k, op.SoapAction);
                            Console.WriteLine ("Possible SQL injection vector in parameter: " + type.Parameters [k].Name);
                        }
                    }
                }

                foreach (var pair in vulnValues)
                    TestPostRequestWithSqlmap(_endpoint, soap, pair.Value, pair.Key);
            }
        }
Exemplo n.º 10
0
        static void FuzzHttpPostPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Where (pt => pt.Name == binding.Type.Split (':') [1]).Single ();
            foreach (SoapBindingOperation op in binding.Operations) {
                Console.WriteLine ("Fuzzing operation: " + op.Name);

                string url = _endpoint + op.Location;
                SoapOperation po = portType.Operations.Where (p => p.Name == op.Name).Single ();
                SoapMessage input = _wsdl.Messages.Where (m => m.Name == po.Input.Split (':') [1]).Single ();
                Dictionary<string, string> parameters = new Dictionary<string, string> ();

                foreach (SoapMessagePart part in input.Parts) {
                    parameters.Add (part.Name, part.Type);
                }

                string postParams = string.Empty;
                bool first = true;
                int i = 0;
                foreach (var param in parameters) {
                    if (param.Value.EndsWith ("string"))
                        postParams += (first ? "" : "&") + param.Key + "=fds" + i++;
                    if (first)
                        first = false;
                }

                for (int k = 0; k <= i; k++) {
                    string testParams = postParams.Replace ("fds" + k, "fd'sa");
                    byte[] data = System.Text.Encoding.ASCII.GetBytes (testParams);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create (url);
                    req.Method = "POST";
                    req.ContentType = "application/x-www-form-urlencoded";
                    req.ContentLength = data.Length;
                    req.GetRequestStream ().Write (data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader(req.GetResponse().GetResponseStream()))
                            resp = rdr.ReadToEnd ();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader(ex.Response.GetResponseStream()))
                            resp = rdr.ReadToEnd ();

                        if (resp.Contains ("syntax error"))
                            Console.WriteLine ("Possible SQL injection vector in parameter: " + input.Parts [k].Name);
                    }
                }
            }
        }
Exemplo n.º 11
0
        static void FuzzSoapPort(SoapBinding binding)
        {
            SoapPortType portType = _wsdl.PortTypes.Single (pt => pt.Name == binding.Type.Split (':') [1]);

            foreach (SoapBindingOperation op in binding.Operations) {
                Console.WriteLine ("Fuzzing operation: " + op.Name);

                string url = _endpoint;
                SoapOperation po = portType.Operations.Single (p => p.Name == op.Name);
                SoapMessage input = _wsdl.Messages.Single (m => m.Name == po.Input.Split (':') [1]);
                XNamespace soapNS = "http://schemas.xmlsoap.org/soap/envelope/";
                XNamespace xmlNS = op.SoapAction.Replace (op.Name, string.Empty);
                XElement soapBody = new XElement (soapNS + "Body");
                XElement soapOperation = new XElement (xmlNS + op.Name);

                soapBody.Add (soapOperation);

                List<Guid> paramList = new List<Guid> ();
                List<SoapType> typeList = new List<SoapType> ();
                foreach (SoapMessagePart part in input.Parts) {
                    SoapType type = _wsdl.Types.Single (t => t.Name == part.Element.Split (':') [1]);
                    foreach (SoapTypeParameter param in type.Parameters) {
                        XElement soapParam = new XElement (xmlNS + param.Name);

                        if (param.Type.EndsWith ("string")) {
                            Guid guid = Guid.NewGuid ();
                            paramList.Add (guid);
                            soapParam.SetValue (guid.ToString ());
                        }
                        soapOperation.Add (soapParam);
                    }
                    typeList.Add (type);
                }

                XDocument soapDoc = new XDocument (new XDeclaration ("1.0", "utf-16", "true"),
                                        new XElement (soapNS + "Envelope",
                                            new XAttribute (XNamespace.Xmlns + "soap", soapNS),
                                            new XAttribute ("xmlns", xmlNS),
                                            soapBody));
                int k = 0;
                foreach (Guid parm in paramList) {
                    string testSoap = soapDoc.ToString ().Replace (parm.ToString(), "fd'sa");
                    byte[] data = System.Text.Encoding.ASCII.GetBytes (testSoap);

                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create (url);
                    req.Headers ["SOAPAction"] = op.SoapAction;
                    req.Method = "POST";
                    req.ContentType = "text/xml";
                    req.ContentLength = data.Length;
                    req.GetRequestStream ().Write (data, 0, data.Length);

                    string resp = string.Empty;
                    try {
                        using (StreamReader rdr = new StreamReader (req.GetResponse ().GetResponseStream ()))
                            resp = rdr.ReadToEnd ();
                    } catch (WebException ex) {
                        using (StreamReader rdr = new StreamReader (ex.Response.GetResponseStream ()))
                            resp = rdr.ReadToEnd ();

                        if (resp.Contains ("syntax error"))
                            Console.WriteLine ("Possible SQL injection vector in parameter: " + typeList [0].Parameters [k].Name);
                    }
                    k++;
                }
            }
        }