You can use Burp Suite to manually enumerate data via WSDL/SOAP.
First, we'll need to spin up Burp to capture the requests.
Second, let's locate locate the '*.asmx' file (ASP.NET Webservices Source file), which should be fairly easy.
Try viewing the source code of the main page, or sub pages and search for '.asmx.' Once you have found the file, we will need view the list of supported SOAP/WSDL operations. This can be done by browsing directly to the '.asmx' file.
In this example, we browse to the following URL:
http://[host]/[File Name].asmx?
We are returned something similar to this. In some cases you'll have more operations listed, which gives you more to play with.
The following operations are supported. For a formal definition, please review the Service Description.
GetPhysicianLastNames
This web service is using http://tempuri.org/ as its default namespace.
Recommendation: Change the default namespace before the XML Web service is made public.
The beauty of this is that by clicking on each of the supported operations, you will be returned with working examples of how to craft the SOAP/WSDL requests.
The easiest way to craft and test these examples is by copying out each working example (shown below) and send any Burp request (within the Proxy, History tab) to 'Repeater'. Once you have the request in repeater, just copy and replace with the SOAP request data.
Our crafted SOAP/WSDL request:
POST /[File Name].asmx HTTP/1.1
Host: www.[host].com
Content-Type: text/xml; charset=utf-8
Content-Length: 381
SOAPAction: "http://tempuri.org/GetPhysicianLastNames"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetPhysicianLastNames xmlns="http://tempuri.org/">
<prefixText>[Search String]</prefixText>
</GetPhysicianLastNames>
</soap:Body>
</soap:Envelope>
Within the 'PrefixText' tag, we insert our search string, in this case 'A' and click 'Go' to send the POST.
Now we see our results returned within the Response section of Burp Suite.
In this case, we returned (obviously) all physician last names starting with 'A'.:
X-AspNet-Version: 4.0.30319 Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 699 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetPhysicianLastNamesResponse xmlns="http://tempuri.org/"><GetPhysicianLastNamesResult><string>Acenas-Recientes</string><string>Agyemang</string><string>Ahmed</string><string>Akhnoukh</string><string>Alacha</string><string>Albano</string><string>Alvarez</string><string>Anthony</string><string>Anthony-Yearwood</string><string>Antoine</string><string>Arnau</string><string>Augustin</string></GetPhysicianLastNamesResult></GetPhysicianLastNamesResponse></soap:Body></soap:Envelope>
How do we take this a step farther? If the listed operations won't reveal any juicy infos, then let's replace our search string with a payload.
Within the Burp -> Repeater -> Request window, right click and send the request to Intruder.
Click the Intruder tab and let's set our Payload Position (or Fuzz point). Click 'Clear' to remove the payload positions, then click your cursor between the 'PrefixText' tags, click 'Add'.
POST /[File Name].asmx HTTP/1.1
Host: www.[host].com
Content-Type: text/xml; charset=utf-8
Content-Length: 381
SOAPAction: "http://tempuri.org/GetPhysicianLastNames"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetPhysicianLastNames xmlns="http://tempuri.org/">
<prefixText>§§</prefixText>
</GetPhysicianLastNames>
</soap:Body>
</soap:Envelope>
Now we can experiment with various payload lists (built in) or external.
No comments:
Post a Comment