SOAP compatibility for SQLmap

[_coreDump] was doing some database vulnerability testing using SQLmap to automate the process. To his dismay, the package was unable to test using the Simple Object Access Protocol. Faced with having to manually test all of the SOAP vulnerabilities he decided to work some Python magic and add support. His solution allows SQLmap 0.8 to parses XML data from the SOAP protocol by modifying three files from the package. He’s made the diff files available if you need this functionality for your own security testing.

Comments

  1. lambda_bunker says:

    I don’t think hackaday is a place for lame software haxing discussion so remove the article.

    If I want to read crap like this I go to governmentsekurity.
    TBH this sql injection he demonstrated is never comes into play irl, better time to be spent on coding new programs then try to find bugs in old ones.

  2. Pogyhauler says:

    “better time to be spent on coding new programs then try to find bugs in old ones”

    He said that. Out loud, In public.

    Like he could actually reinvent MySQL with a perfect security model that needed no validation.

    Calls somebody elses effort ‘lame’.
    Makes an anonymous demand that he apparently thinks is not only useful but effective.
    And demonstrates a mental defect. all in two (deficient)paragraphs.

    Why does the phrase “A danger to himself and others” come to mind?

  3. Drone says:

    This is a welcome post HaD. More like this please. SQL and in-particular SQLlite are appearing more and more in server-capable devices; and at a higher layer SOAP is becoming prolific too in mesh connected apps. A different, albeit not new IMHO (PERL is your friend) technique for hammering an SQL site for injection vulnerability is interesting. Again, more like this once in a while. But watch out for the DMCA (et.al.) Monsters lurking in the background.

  4. fotoflojoe says:

    >>He said that. Out loud, In public.<<
    @Pogyhauler: You made me laugh!
    @lambda_bunker: taht means I is LOL'ed at u.

  5. greycode says:

    Bring on software hacks, this is something I can actually do. And SQL and SQL like products are everywhere, there is a very very good reason to test for vulnerabilities in your databases. Not testing leaves you on the front page of a newspaper because you let a hacker take 3.3 million peoples credit card information. All ascending sorted for your query viewing pleasure. On the reverse side, not hacking will not get you 3.3 million peoples credit card information.

    People, please, there are going to be things here that you are not going to enjoy. If you don’t like this one just glide on by to the next one. But someone is going to enjoy it almost certainly.

    Going “Uggh uggh groomp, you take it down, Grogg says to, you listen to Grogg,” is not going to get the article taken down in my experience. The way I have been seeing things here is that once they are up, they are up, and only if someone asks a question or make a valid comment do the guys who put it up even comment on it. Once it is up there, it stays up and is only changed to make a grammatical mistake correction. Or sometimes a clarification.

  6. Jason says:

    You know what occurs to me? What the heck is the point of you people bitching about this or that not being a hack? Have you ever seen the staff reply with “Oh sorry, we’ll pull that!” ? No. That’s cause they don’t care. They have in-enviable job of putting up several new posts per day that are interesting and/or useful so deal with it.

    If you just absolutely must have a new hack … document one.

  7. therian says:

    In a year from now this will be the only type of articles on HaD

  8. greycode says:

    @ therian I doubt that, the site is pretty well rounded aside from when Arduino was every single thing. Now even the Arduino stuff is here and there.

    So much of what is on this site are people with a laser tight focus on a project. Dedication is hard to fake. And when people are as dedicated as they are here, most of these projects are out of reach for the normal person. So when something comes on here, it is going to excite some, bore some. Just look on the side bar, SOMETHING there has got to interest you. If not, make something and get HaD to link you up.

  9. gregor says:

    this is actually going to make my job a lot easier!

    At work we’re getting new products and we’ll need to test this way. I already use SQLmap so this is going to help out quite a bit!

    thanks HAD

  10. blue carbuncle says:

    This better not mess up my Weather.com SOAP temperature scraper scripty lol. But yeah, SQL needs a major douching and needs to be shamed with its pants around its ankles for compromising security with ease. That and on any given day, I generally find nearly 60 parsing/implementing errors in my daily webtravels done by first years for companies that want to underpay their IT staff. asp and php shouldn’t laugh so fast. They are next lol. I need a faster coffee maker lol. Saw SQL and my eyes clouded over with furystration.

  11. Whatnot says:

    Wasn’t SOAP abandoned years ago?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,376 other followers