Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-axis2-dir-traversal

Script types: portrule
Categories: vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-axis2-dir-traversal.nse

User Summary

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability. By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue

To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion

Reference:

Script Arguments

http-axis2-dir-traversal.file

Remote file to retrieve

http-axis2-dir-traversal.outfile

Output file

http-axis2-dir-traversal.basepath

Basepath to the services page. Default: /axis2/services/

Other useful arguments for this script:

http.useragent

User Agent used in the GET requests

http.max-cache-size, http.max-pipeline, http.pipeline

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip>
nmap -p80 --script http-axis2-dir-traversal <host/ip>

Script Output

80/tcp open  http    syn-ack
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]