File http-axis2-dir-traversal
Script types:
portrule
Categories:
vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-axis2-dir-traversal.nse
User Summary
Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.
To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability.
By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue
To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion
Reference:
Script Arguments
http-axis2-dir-traversal.file
Remote file to retrieve
http-axis2-dir-traversal.outfile
Output file
http-axis2-dir-traversal.basepath
Basepath to the services page. Default: /axis2/services/
Other useful arguments for this script:
http.useragent
User Agent used in the GET requests
http-max-cache-size, http.pipeline
See the documentation for the http library.Example Usage
nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip> nmap -p80 --script http-axis2-dir-traversal <host/ip>
Script Output
80/tcp open http syn-ack |_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2
Requires
Author: Paulino Calderon
License: Same as Nmap--See http://nmap.org/book/man-legal.html
