August 23rd, 2024
Our client tasks us with assessing a SOAP web service whose WSDL file resides at http://<TARGET IP>:3002/wsdl?wsdl.
Assess the target, identify an SQL Injection vulnerability through SOAP messages and answer the question below.
Submit the password of the user that has a username of “admin”. Answer format: FLAG{string}. Please note that the service will respond successfully only after submitting the proper SQLi payload, otherwise it will hang or throw an error.
No responses when trying to fuzz, so I’m working straight from the wsdl itself. Meaning I will need to review it to understand its elements.
ffuf -w "/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt" -u '<http://10.129.202.133:3002/wsdl?wsdl=FUZZ>' -fs 0
I found that one of the soapAction operation values was set to Login. Which led me to look for what this operation did.
POST request will be crafted - with a header that contains the Login soapAction operation.Now I need to understand what the Login operation actually does once it is called in my POST request.
