10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
HTTP based detection of Apache Axis2, a Web Services / SOAP /
WSDL engine, the successor to the widely used Apache Axis SOAP stack.
# SPDX-FileCopyrightText: 2010 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.100813");
script_version("2023-10-13T05:06:10+0000");
script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
script_tag(name:"creation_date", value:"2010-09-20 15:31:27 +0200 (Mon, 20 Sep 2010)");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_tag(name:"cvss_base", value:"0.0");
script_name("Apache Axis2 Detection (HTTP)");
script_category(ACT_GATHER_INFO);
script_family("Product detection");
script_copyright("Copyright (C) 2010 Greenbone AG");
script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "global_settings.nasl");
script_require_ports("Services/www", 8080);
script_exclude_keys("Settings/disable_cgi_scanning");
script_tag(name:"summary", value:"HTTP based detection of Apache Axis2, a Web Services / SOAP /
WSDL engine, the successor to the widely used Apache Axis SOAP stack.");
script_xref(name:"URL", value:"https://axis.apache.org/axis2/java/core/");
script_xref(name:"URL", value:"https://axis.apache.org/axis2/c/core/");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("host_details.inc");
include("cpe.inc");
port = http_get_port( default:8080 );
host = http_host_name( dont_add_port:TRUE );
banner = http_get_remote_headers( port:port );
if( banner && egrep( string:banner, pattern:"^[Ss]erver\s*:\s*Simple-Server", icase:FALSE ) ) {
# nb: Axis2 running on binary distribution, no need to iterate over all other directories...
dirs = make_list( "/axis2" );
} else {
# nb: Axis2 running on Tomcat or similar application servers
dirs = make_list_unique(
"/axis2", # Standard one
"/imcws", # SAP Business Objects 12 and/or 3com IMC (See CVE-2010-2103)
"/WebServiceImpl", # Computer Associates ARCserve D2D r15 Web Service (See CVE-2010-0219 / https://www.exploit-db.com/exploits/15869)
"/dswsbobje", # SAP BusinessObjects Enterprise XI 3.2 (See CVE-2010-0219)
"/BusinessProcessBI", # SAP BusinessObjects as well
"/ws", # Currently unknown
"/MicroStrategyWS", # Microstrategy Web 10.4 (See CVE-2020-11450)
"/Api", # VMware Smarts NCM
"/jboss-net", # JBoss.net Axis integration
"/tomcat", # Both for Tomcat, seen "in the wild"
"/tomcat/axis",
"/wssgs", # Both for JBuilder Apache Axis
"/tresearch",
"/infranetwebsvc", # Both for Oracle Communications Billing and Revenue Management Web Services Manager from:
"/BrmWebServices", # https://docs.oracle.com/cd/E16754_01/doc.75/e16724/wsm_deploy.htm
http_cgi_dirs( port:port, host:host ) );
}
foreach dir( dirs ) {
detected = FALSE;
install = dir;
if( dir == "/" )
dir = "";
# nb: Version service on newer Axis2 versions
url1 = dir + "/services/Version/getVersion";
buf1 = http_get_cache( item:url1, port:port );
# nb: Admin interface for < 1.8.x
url2 = dir + "/axis2-admin/";
buf2 = http_get_cache( item:url2, port:port );
# nb: Overview page
url3 = dir + "/axis2-web/index.jsp";
buf3 = http_get_cache( item:url3, port:port );
# nb: Old location of Version service for Axis2 0.93 and below
url4 = dir + "/services/version/getVersion";
buf4 = http_get_cache( item:url4, port:port );
# nb: "Happiness" page for 1.x
url5 = dir + "/axis2-web/HappyAxis.jsp";
buf5 = http_get_cache( item:url5, port:port );
# nb: Admin interface for >= 1.8.x
url6 = dir + "/axis2-admin/welcome";
buf6 = http_get_cache( item:url6, port:port );
# nb: "Happiness" page for 0.9x
url7 = dir + "/HappyAxis.jsp";
buf7 = http_get_cache( item:url7, port:port );
# nb: Admin interface for 0.9x
url8 = dir + "/Login.jsp";
buf8 = http_get_cache( item:url8, port:port );
# nb: Another "landing" page
url9 = dir + "/";
buf9 = http_get_cache( item:url9, port:port );
if( buf1 =~ "Hello I am Axis2" ||
( "getVersionResponse" >< buf1 && "the Axis2 version is" >< buf1 ) ||
"The system is attempting to access an inactive service: Version" >< buf1 ||
"The service cannot be found for the endpoint reference (EPR)" >< buf1 ||
"Service Not found EPR is" >< buf1 ) {
detected = TRUE;
concludedUrl = " " + http_report_vuln_url( port:port, url:url1, url_only:TRUE );
}
if( "<title>Login to Axis2 :: Administration page</title>" >< buf2 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url2, url_only:TRUE );
}
if( "<title>Axis 2 - Home</title>" >< buf3 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url3, url_only:TRUE );
}
if( buf4 =~ "Hello I am Axis2" ||
( "getVersionResponse" >< buf4 && "the Axis2 version is" >< buf4 ) ||
"The system is attempting to access an inactive service: Version" >< buf4 ||
"The service cannot be found for the endpoint reference (EPR)" >< buf4 ||
"Service Not found EPR is" >< buf4 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url4, url_only:TRUE );
}
if( "<title>Axis2 Happiness Page</title>" >< buf5 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url5, url_only:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/detected", value:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/http/detected", value:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/http/" + host + "/" + port + "/urls", value:url5 );
}
if( "<title>Login to Axis2 :: Administration page</title>" >< buf6 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url6, url_only:TRUE );
}
if( "<title>Axis2 Happiness Page</title>" >< buf7 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url7, url_only:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/detected", value:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/http/detected", value:TRUE );
set_kb_item( name:"apache/axis2/happiness_page/http/" + host + "/" + port + "/urls", value:url7 );
}
# nb:
# - This is slightly different to the others and even has a typo (at least on 0.93)
# - We're checking both, the typo and the correct spelling just to be sure...
if( "<title>Login to Axis2:: Administartion page</title>" >< buf8 ||
"<title>Login to Axis2:: Administration page</title>" >< buf8 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url8, url_only:TRUE );
}
if( "<title>Axis 2 - Home</title>" >< buf9 ) {
detected = TRUE;
if( concludedUrl )
concludedUrl += '\n';
concludedUrl += " " + http_report_vuln_url( port:port, url:url9, url_only:TRUE );
}
if( detected ) {
version = "unknown";
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hi - the Axis2 version is 1.8.2</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hi - the Axis2 version is 1.7.9</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hi - the Axis2 version is 1.7.2</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hi - the Axis2 version is 1.6.1</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hi - the Axis2 version is 1.5</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hello I am Axis2 version service , My version is 1.4.1</ns:return></ns:getVersionResponse>
# <ns:getVersionResponse xmlns:ns="http://axisversion.sample"><ns:return>Hello I am Axis2 version service , My version is 1.4</ns:return></ns:getVersionResponse>
# <my:Version xmlns:my="http://localhost/my">Hello I am Axis2 version service , My version is 0.93 Dec 02, 2005 (08:36:23 LKT)</my:Version>
vers = eregmatch( string:buf1, pattern:"version is ([0-9.]+)", icase:TRUE );
if( isnull( vers[1] ) )
vers = eregmatch( string:buf4, pattern:"version is ([0-9.]+)", icase:TRUE );
if( ! isnull( vers[1] ) ) {
version = chomp( vers[1] );
concluded = vers[0];
}
set_kb_item( name:"apache/axis2/detected", value:TRUE );
set_kb_item( name:"apache/axis2/http/detected", value:TRUE );
cpe = build_cpe( value:version, exp:"([0-9.]+)", base:"cpe:/a:apache:axis2:" );
if( ! cpe )
cpe = "cpe:/a:apache:axis2";
register_product( cpe:cpe, location:install, port:port, service:"www" );
log_message( data:build_detection_report( app:"Apache Axis2",
version:version,
install:install,
cpe:cpe,
concludedUrl:concludedUrl,
concluded:concluded ),
port:port );
exit( 0 );
}
}
exit( 0 );
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.975 High
EPSS
Percentile
100.0%