http-axis2-dir-traversal

[Paulino Calderon <paulino () calderonpale com>]

Hi nmap-dev,

description = [[
http-axis2-dir-traversal exploits a directory traversal vulnerability in 
Apache Axis2 version 1.4.1 by sending a specially crafted request to the 
parameter <code>xsd</code> (OSVDB-59001). By default it will try to 
retrieve the configuration file of the Axis2 service 
<code>'/conf/axis2.xml'</code> using the path 
<code>'/axis2/services/'</code> to return the username and password of 
the admin account.

To exploit this vulnerability we need to detect a valid service running 
on the installation so we extract it from <code>/listServices</code> 
before exploiting the directory traversal vulnerability.
By default it will retrieve the configuration file if you wish to 
retrieve other files you may need to add more "/../" to traverse to the 
correct folder location.

To check the version of an Apache Axis2 installation go to:
http://domain/axis2/services/Version/getVersion

Reference:
* http://osvdb.org/show/osvdb/59001
* http://www.exploit-db.com/exploits/12721/
]]

---
-- @usage
-- nmap -p80,8080 --script http-axis2-dir-traversal --script-args 
'http-axis2-dir-traversal.file=' <host/ip>
--
-- @output
-- 80/tcp open  http    syn-ack
-- |_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2
--
-- @args http-axis2-dir-traversal.file Remote file to retrieve
-- @args http-axis2-dir-traversal.outfile Output file
-- @args http-axis2-dir-traversal.basepath Basepath to the services 
page. Default: <code>/axis2/services/</c
ode>
--
-- Other useful arguments for this script:
-- @args http.useragent User Agent used in the GET requests
---


Feedback is welcomed as always.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-axis2-dir-traversal.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/