Script http-axis2-dir-traversal

Script types: portrule
Categories: vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-axis2-dir-traversal.nse

Script Summary

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (BID 40343). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability. By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue

To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion

Reference:

• https://www.securityfocus.com/bid/40343
• https://www.exploit-db.com/exploits/12721/

Script Arguments

http-axis2-dir-traversal.file

Remote file to retrieve

http-axis2-dir-traversal.outfile

Output file

http-axis2-dir-traversal.basepath

Basepath to the services page. Default: /axis2/services/

slaxml.debug

See the documentation for the slaxml library.

creds.[service], creds.global

See the documentation for the creds library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip>
nmap -p80 --script http-axis2-dir-traversal <host/ip>

Script Output

80/tcp open  http    syn-ack
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2

Requires

• creds
• http
• io
• nmap
• shortport
• stdnse
• string
• table

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html