Microsoft gives out way too much info with its web services. simply dorking for ‘asmx’ files gives plenty of web service test pages.
My favorite ones are the ones that don’t even bother to make sure you’re on localhost to return info:
http://mapserv.utah.gov/WSUTSGID_FeatureAttributes/default.asmx?op=GetFeatureAttributes_wsdlTest
It reminds me of the mail server I was reversing looking for bugs. Their software protection was meager and their registry key was checked against a web service (just found a random asmx link in the binary). Like the link above it didnt bother making sure I was on the localhost before returning data. Whats better was since it gave me all of the parameters, I was able to construct a dummy web service on my localhost that ALWAYS returned true when I passed the serial number to it.
What does this mean? More and more software is utilizing web services for interaction between their desktop applications and server based code. Don’t get me wrong, its a great little concept and C# makes it SO GOD DAMN EASY to do so(connect to web services that is) its disgusting.
<%@ WebService language="C" %>
using System;
using System.Web.Services;
using System.Xml.Serialization;
[WebService(Namespace="http://localhost/MyWebServices/")]
public class FirstService : WebService
{
[WebMethod]
public int Add(int a, int b)
{
return a + b;
}
[WebMethod]
public String SayHello()
{
return "web services yo";
}
}
Thats it, thats all the code you need. As for instantiating it, all you gotta do is use the special form
within visual studio to connect, then just call it like any other object.
Borrowing from msdn, the case of this web service is just a temperature converter.
using System;
namespace Application1
{
class Class1
{
static void Main()
{
Converter.Service1 cService = new Converter.Service1();
Console.WriteLine("Temperature in degrees Fahrenheit: ");
double dFahrenheit = Convert.ToDouble(Console.ReadLine());
double dCelsius = cService.ConvertTemperature(dFahrenheit);
Console.Write("Temperature in degrees Celsius: ");
Console.WriteLine(dCelsius.ToString());
}
}
}
Not much too it eh? Well lets take it a step further. Here’s an example of a web service which fails hard and is vulnerable to blind SQLI:
<%@ WebService language="C" %>
using System;
using System.Web.Services;
using System.Xml.Serialization;
using System.Diagnostics.Process;
[WebService(Namespace="http://localhost/MyWebServices/")]
public class FirstService : WebService
{
[WebMethod]
private void fail(string id)
{
SqlConnection myConnection = new SqlConnection("user id=username;" +
"password=password;server=serverurl;" +
"Trusted_Connection=yes;" +
"database=database; " +
"connection timeout=30");
myConnection.Open();
SqlCommand myCommand= new SqlCommand("SELECT username,password FROM users where userid = " + id, myConnection);
myCommand.ExecuteNonQuery();
myConnection.Close()
}
[WebMethod]
public String execfail(string cmd)
{
string output;
System.Dagnostics.Process p = new System.Diagnostics.Process();
p.command = cmd;
p.execute;
p.output = output;
return output;
}
}
These two examples, while contrived as all hell demonstrate how easy it is to fail HARD at web services. Now imagine like my previous thoughts, theres no check for localhost with the web service. All you have to do is cruise over to fail.asmx and you’ll see the parameters, function name, and even a little box to ‘test’.
I love you microsoft. keep on failing.