Intrusion WebService website with Axis2 default password security vulnerability

Recently, in the black bar security online attention to the use of a fewAxis2The default password for penetration testing cases, everyone's infiltration ideas are basically consistent, the use of technical tools are roughly the same, I summed up these cases based on the development of technical ideas.
Black Bar Safety netAxis2Default password security vulnerability Utilization case:
Aviation safety of Sichuan Airlines a system vulnerability caused getshell (affecting more than 60 intranet Host security \ Visual inspection has been infiltrated by others)
A server for Lok Shun TongAxis2Service exists weak password can upload Webshell (root permission)
Chinese Academy of Sciences Network Web-services (Axis2) System arbitrary Code execution
Tool Preparation:
Axis2Using the toolkit: Cat.arr
JSP a word Trojan
Server-Side A word trojan code:
Client Commit code:

Your code


JSP Big Horse
Big horse I will not publish, if necessary can send me QQ mailbox [email protected] request.
URL Encoding Tool
I use the small Kwai transcoding, can also use the online transcoding tool
Infiltration process:
The first step is to confirm the target WebService site background URL address.
The backstage address I built locally is http://10.10.10.138:8080/.Axis2/Axis2-admin/, according to WebService deployment experience, directly deployed in the root directory of the site is also more, the background address is more than http://*.*.*:8080/Axis2-web/. Click Administration to enterAxis2Background login interface, enter the default password admin/Axis2, if the password has not been changed, you can successfully enter the background management interface.



The second step, click on the left "Upload Service" upload Cat.arr, this arr package is actually a horse, we mainly use this network horse to get the Web application path, write files these two functions.
After the Cat tool uploads successfully, click on the left "Available service" to see the uploaded service item "Cat".
Get the current application path on the client using the Getclasspath function of this web horse
http://10.10.10.137:8080/Axis2/services/cat/getclasspath

Use the file write function to get to the Web application path to write server-side JSP a word trojan, note here need to be a word trojan code into a URL code, in addition to add content in the URL when attention is not allowed to change the line, copy paste to pay special attention.
http://10.10.10.137:8080/Axis2/services/cat/writestringtofile?data=%253c%25if%28request.getparameter%28%25e2%2580%259cf%25e2%2580%259d%29!% 3dnull%29%28new%2520java.io.fil&file=/c:/program%20files/apache%20software%20foundation/tomcat%207.0/ webapps/Axis2/1.jsp&encoding=utf-8&append=false

The third step, the use of JSP a word Trojan client submission code written to JSP big horse. In the submission form, fill in the JSP Big Horse code, click Submit. Note here that you modify the JSP in the client submission code in a word, the Trojan file path and the JSP big horse filename to be written.

Fourth step, access the uploaded horse, you can get the Web application server control permissions.

Safety Reinforcement Method:
ModifyAxis2Default account name and password, located inAxis2In the Conf.xml document, modify the following two lines of code.
Admin
Axis2
"PostScript": Write an article mainly want to explainAxis2Default account password harm, I hope you do not abuse the infiltration technology involved in the article, together to establish a good information security environment.

Intrusion WebService website with Axis2 default password security vulnerability