SOAP compatibility for SQLmap

posted Jun 25th 2010 9:00am by Mike Szczys
filed under: security hacks

[_coreDump] was doing some database vulnerability testing using SQLmap to automate the process. To his dismay, the package was unable to test using the Simple Object Access Protocol. Faced with having to manually test all of the SOAP vulnerabilities he decided to work some Python magic and add support. His solution allows SQLmap 0.8 to parses XML data from the SOAP protocol by modifying three files from the package. He’s made the diff files available if you need this functionality for your own security testing.

Comments [11]

tagged: injection, python, soap, sqlmap, xml

11 Responses to SOAP compatibility for SQLmap

lambda_bunker says:

June 25, 2010 at 10:53 am

I don’t think hackaday is a place for lame software haxing discussion so remove the article.

If I want to read crap like this I go to governmentsekurity.
TBH this sql injection he demonstrated is never comes into play irl, better time to be spent on coding new programs then try to find bugs in old ones.

Reply Report comment

Pogyhauler says:

June 25, 2010 at 11:57 am

“better time to be spent on coding new programs then try to find bugs in old ones”

He said that. Out loud, In public.

Like he could actually reinvent MySQL with a perfect security model that needed no validation.

Calls somebody elses effort ‘lame’.
Makes an anonymous demand that he apparently thinks is not only useful but effective.
And demonstrates a mental defect. all in two (deficient)paragraphs.

Why does the phrase “A danger to himself and others” come to mind?

Reply Report comment

Drone says:

June 25, 2010 at 12:13 pm

This is a welcome post HaD. More like this please. SQL and in-particular SQLlite are appearing more and more in server-capable devices; and at a higher layer SOAP is becoming prolific too in mesh connected apps. A different, albeit not new IMHO (PERL is your friend) technique for hammering an SQL site for injection vulnerability is interesting. Again, more like this once in a while. But watch out for the DMCA (et.al.) Monsters lurking in the background.

Reply Report comment

fotoflojoe says:

June 25, 2010 at 1:38 pm

>>He said that. Out loud, In public.<<
@Pogyhauler: You made me laugh!
@lambda_bunker: taht means I is LOL'ed at u.

Reply Report comment

greycode says:

June 25, 2010 at 1:49 pm

Bring on software hacks, this is something I can actually do. And SQL and SQL like products are everywhere, there is a very very good reason to test for vulnerabilities in your databases. Not testing leaves you on the front page of a newspaper because you let a hacker take 3.3 million peoples credit card information. All ascending sorted for your query viewing pleasure. On the reverse side, not hacking will not get you 3.3 million peoples credit card information.

People, please, there are going to be things here that you are not going to enjoy. If you don’t like this one just glide on by to the next one. But someone is going to enjoy it almost certainly.

Going “Uggh uggh groomp, you take it down, Grogg says to, you listen to Grogg,” is not going to get the article taken down in my experience. The way I have been seeing things here is that once they are up, they are up, and only if someone asks a question or make a valid comment do the guys who put it up even comment on it. Once it is up there, it stays up and is only changed to make a grammatical mistake correction. Or sometimes a clarification.

Reply Report comment

Jason says:

June 25, 2010 at 4:03 pm

You know what occurs to me? What the heck is the point of you people bitching about this or that not being a hack? Have you ever seen the staff reply with “Oh sorry, we’ll pull that!” ? No. That’s cause they don’t care. They have in-enviable job of putting up several new posts per day that are interesting and/or useful so deal with it.

If you just absolutely must have a new hack … document one.

Reply Report comment

therian says:

June 25, 2010 at 4:07 pm

In a year from now this will be the only type of articles on HaD

Reply Report comment

greycode says:

June 25, 2010 at 5:20 pm

@ therian I doubt that, the site is pretty well rounded aside from when Arduino was every single thing. Now even the Arduino stuff is here and there.

So much of what is on this site are people with a laser tight focus on a project. Dedication is hard to fake. And when people are as dedicated as they are here, most of these projects are out of reach for the normal person. So when something comes on here, it is going to excite some, bore some. Just look on the side bar, SOMETHING there has got to interest you. If not, make something and get HaD to link you up.

Reply Report comment

gregor says:

June 25, 2010 at 8:45 pm

this is actually going to make my job a lot easier!

At work we’re getting new products and we’ll need to test this way. I already use SQLmap so this is going to help out quite a bit!

thanks HAD

Reply Report comment

blue carbuncle says:

June 26, 2010 at 5:22 am

This better not mess up my Weather.com SOAP temperature scraper scripty lol. But yeah, SQL needs a major douching and needs to be shamed with its pants around its ankles for compromising security with ease. That and on any given day, I generally find nearly 60 parsing/implementing errors in my daily webtravels done by first years for companies that want to underpay their IT staff. asp and php shouldn’t laugh so fast. They are next lol. I need a faster coffee maker lol. Saw SQL and my eyes clouded over with furystration.