We have to intercept the request of WSDL in Burp. Follow these steps to do so:

1. Right-click the request and select Parse WSDL:

2. Switch to the Wsdler tab and you will see all the service calls. We can review the complete request by clicking on it:

3. To be able to play around with it, we need to send it to the repeater:

4. Right-click and select Send to Repeater:

5. Putting a single quote in tem:json throws an error. And voila! We have an SQL Injection:

6. The following screenshot shows the response of the server with the SQL error:

7. We will learn more about exploiting SQL in Chapter 4, Web App Exploitation – Beyond OWASP Top 10.