Script http-axis2-dir-traversal

Script types: portrule
Categories: vuln, intrusive, exploit

Script Summary

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (BID 40343). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from /listServices before exploiting the directory traversal vulnerability. By default it will retrieve the configuration file, if you wish to retrieve other files you need to set the argument http-axis2-dir-traversal.file correctly to traverse to the file's directory. Ex. ../../../../../../../../../etc/issue

To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion


Script Arguments


Remote file to retrieve


Output file


Basepath to the services page. Default: /axis2/services/


See the documentation for the slaxml library.


See the documentation for the creds library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip>
nmap -p80 --script http-axis2-dir-traversal <host/ip>

Script Output

80/tcp open  http    syn-ack
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2



  • Paulino Calderon <>

License: Same as Nmap--See