-
Notifications
You must be signed in to change notification settings - Fork 0
auxiliary enum soap_request
cktricky
This forms a single soap request in the appropriate envelope and displays the response.
PARAM true The parameter which corresponds to the action
PASS false Specify a password
PROXYA false Proxy IP Address
PROXYP false Proxy Port Number
RACTION true Remote Action. Ex: GetUserID
RURL http://www.example.com/test.php true Target address
USER false Specify a username
VALUE true Value to assign the parameter within the SOAP envelope
This is how the request looks, this helps to demonstrate which of the options corresponds to an item in the request:
POST /WebGoat/services/WSDLScanning HTTP/1.1
Accept: */*
Content-Type: text/xml;charset=UTF-8
Soapaction: getCreditCard
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Length: 264
Host: 172.16.64.132:8088
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:wsdl="http://172.16.64.132:8088/WebGoat/services/WSDLScanning"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><wsdl:getCreditCard><id>101</id></wsdl:getCreditCard>
</env:Body></env:Envelope>
PARAM -- In the request above, param comprises the <id></id>
portion of the XML structure. The param and value pair are no different from most web protocol requests in that they go hand in hand.
VALUE -- The 101 value, between the <id></id>
tags, is our VALUE option. To summarize:
set PARAM id
set VALUE 101
RACTION -- RACTION or Remote Action, comprises the <wsdl:getCreditCard and </wsdl:getCreditCard>
tags. You can provide either camelCase or snake_case. Example:
set RACTION getCreditCard
set RACTION get_credit_card
USER -- USER is the username that you'd like to provide for basic authentication.
PASS -- PASS is the password for basic authentication.
(both of these options make up the Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
value shown in the request)
set USER guest
set PASS guest
RURL -- RURL is generally not module specific but in this case it is to a degree. You need to provide the URL of the WSDL file OR a SOAP endpoint. Example:
set RURL http://172.16.64.132:8088/WebGoat/services/WSDLScanning?WSDL
The site www.example.com has a WSDL located at /ws/Proservices?WSDL. No username or password required. After using the module auxiliary/enum/wsdl_action_enum we've determined a get_user_id action exists. We want to test a known user id of 103. We have viewed the WSDL manually and determined that a uid parameter exists. Lets set the options:
set https://www.example.com/ws/Proservices?WSDL
set RACTION get_user_id
set PARAM uid
set VALUE 103
run