After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:
openssl pkcs12 -in global.p12 -out global.pem
Then we cut the private key part from global pem and copy it into protected_key.pem
and issue the command:
(you gotta provide the password of your private key)
mv global.pem cert.pem
openssl rsa -in protected_key.pem -out key.pem
The we can finally write the ruby code:
require 'rubygems'
require 'savon'
client = Savon::Client.new "https://example.com/services?wsdl"
client.request.http.ssl_client_auth(
:cert = OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),
:verify_mode => OpenSSL::SSL::VERIFY_NONE
)
#BASIC AUTHENTICATION
client.request.basic_auth "User", "Password"
puts client.wsdl.soap_actions
#puts client.wsdl.namespace_uri
#don't forget @inorder otherwise the client will send you key values in a different sequence
different from #the one you wrote down
response = client.add_customer do |soap|
soap.body = {
:id =111,
:tel =1233,
:issuer =asder,
:payment_mode =1,
:alias =asd,
:@inorder = [:id, :tel, :issuer, :payment_mode, :alias]
}
end
puts response.to_xml
Finally you have to add some permutation to your values to make it a real soap fuzzer.
You can start by getting the file all_attacks.txt used by from WSFuzzer
No comments:
Post a Comment