XML security-Web Services

XML security-Web Services
0x01 Introduction

Some time ago, I encountered related technologies related to ws in the trs system. Not long ago, when I was playing a xx Hotel, I went to its database through ws, later, I met or saw XML-related vulnerabilities in some app services and Iot-related systems, so I searched for related materials for technical accumulation. If an error occurs in the text, correct it.

0x02 What is WS?

Web Service is a network-based, distributed modular component that executes specific tasks and complies with specific technical specifications. These specifications Enable Web Service to interoperate with other compatible components. Web Services uses SOAP and XML to further expand these models in terms of communication to eliminate obstacles to special object models. Web Services mainly uses HTTP and SOAP protocols to transmit business data on the Web. SOAP calls Business Objects through HTTP to execute remote function calls, web users can use SOAP and HTTP to call remote objects through Web calling methods.

To put it simply, WS is http + XML. The WS platform has the following elements: SOAP, UDDI, and WSDL.

0x03 xml injection (soap injection)

The following sections describe some scenarios where vulnerabilities are always unique and not applicable to every environment.

Scenario 1:

Vulnerability:

<?xml version="1.0" encoding="UTF-8"?> <USER role="guest">attacker's code</USER>

Poc:

A</USER><USER role="admin">B

Scenario 2:

Vulnerability:

If it is changed to null, loginid is found as the logon result by returning an error:

Poc:

Result:

Scenario 3:

<Transaction> <total> 6000.00 <total> <credit_card_number> 12345 </credit_card_number> // 12345 controllable, covering <total> tag <expiration> 01012008 </expiration> </transaction>

Poc:

12345</credit_card_number><total>1.00</total><credit_card_number>12345

 

0x03 SQL injection and xpath Injection

All these SQL injections inject databases. As the owasp top 10 vulnerability, it is quite common, and also exists in ws. Wooyun also has the case. WooYun: a platform system of ansheng Tianping can be fourth shot by getshell and injected. This SQL injection vulnerability on ws is also very easy to ignore. As for the use of SQL injection, there is not much to use. Different database injection methods are the same as common SQL injection methods.

Xpath injection is rarely discussed on wooyun, and there are not many Chinese documents. To put it simply, if xml is used as a database, xpath is quite similar to SQL statements. Therefore, if the server uses xml format to store data, we use xpath to call data, when the input parameters are not strictly filtered, it may be taken as xpath injection. Of course, there are many skills in xpath injection, such as the use of functions and the use of xxe.

Take the following example:

<sopaenv:Body> <web1:Login xmlns:web1="http://ws.ws.com/"> <username>abc</username> <password>123</password> </web1:Login> </sopaenv:Body>

For normal xpath queries:

string(//Employee[username/text()='abc' and password/text()='123']/account/text()) 

We can control username or password and enter

' or '1' = '1

Finally, the xpath query becomes:

string(//Employee[username/text()='' or '1' = '1' and password/text()='' or '1' = '1']/account/text())

Attackers can bypass the login process to make the use of xpath unknown. For example, they can use the doc () function to read arbitrary xml files, and use doc () and xxe to read arbitrary files.

0x04 DDOS and XXE

Why is there DDOS and XXE? As we have mentioned earlier, ws can be regarded as a combination of xml and http. Therefore, XML-related vulnerabilities may also appear in ws, both DDOS and XXE in xml are analyzed a lot:

DDOS: Long data DDOS and multi-tag DDOS

For example:

<transaction>  <total>6000.00<total>  <credit_card_number>12345</credit_card_number>  <credit_card_number>qqqq</credit_card_number>    <credit_card_number>qqqq</credit_card_number>    <credit_card_number>qqqq</credit_card_number>    <credit_card_number>qqqq</credit_card_number>    ``````  <expiration>01012008</expiration></transaction>

Xxe vulnerability drops on existing articles: http://www.bkjia.com/Article/201503/384532.html

0x05 Upload Vulnerability

Both of these are very harmful vulnerabilities:

Upload Vulnerability. ws can upload attachments. A typical example is the trs Upload Vulnerability.

0x06 Summary

From the above attack methods, it is not difficult to see that there are two types:

1. xml-related attack technologies;

2. Vulnerabilities (SQL injection, file upload, and other common vulnerabilities) caused by using soap requests to transfer data into other functions or programs)

Therefore, vulnerabilities can be exploited in a variety of ways. Different scenarios can be used in combination with different methods or use bypass. Only by mastering the basic knowledge can you use them flexibly.