Nmap Development mailing list archives
http-axis2-dir-traversal
From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 15 Jul 2011 18:22:50 -0700
Hi nmap-dev, description = [[http-axis2-dir-traversal exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.
To exploit this vulnerability we need to detect a valid service running on the installation so we extract it from <code>/listServices</code> before exploiting the directory traversal vulnerability. By default it will retrieve the configuration file if you wish to retrieve other files you may need to add more "/../" to traverse to the correct folder location.
To check the version of an Apache Axis2 installation go to: http://domain/axis2/services/Version/getVersion Reference: * http://osvdb.org/show/osvdb/59001 * http://www.exploit-db.com/exploits/12721/ ]] --- -- @usage-- nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=' <host/ip>
-- -- @output -- 80/tcp open http syn-ack -- |_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2 -- -- @args http-axis2-dir-traversal.file Remote file to retrieve -- @args http-axis2-dir-traversal.outfile Output file-- @args http-axis2-dir-traversal.basepath Basepath to the services page. Default: <code>/axis2/services/</c
ode> -- -- Other useful arguments for this script: -- @args http.useragent User Agent used in the GET requests --- Feedback is welcomed as always. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon
Attachment:
http-axis2-dir-traversal.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-axis2-dir-traversal Paulino Calderon (Jul 15)
- Re: http-axis2-dir-traversal Fyodor (Jul 21)
- Re: http-axis2-dir-traversal Paulino Calderon (Jul 24)
- Re: http-axis2-dir-traversal Fyodor (Jul 21)