Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-axis2-dir-traversal

Script types: portrule
Categories: vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-axis2-dir-traversal.nse

User Summary

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability. By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue

To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion

Reference:

Script Arguments

http-axis2-dir-traversal.file

Remote file to retrieve

http-axis2-dir-traversal.outfile

Output file

http-axis2-dir-traversal.basepath

Basepath to the services page. Default: /axis2/services/

Other useful arguments for this script:

http.useragent

User Agent used in the GET requests

http.max-cache-size, http.max-pipeline, http.pipeline

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip>
nmap -p80 --script http-axis2-dir-traversal <host/ip>

Script Output

80/tcp open  http    syn-ack
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]