... and get login and password for managers account on vulnerable Tomcat.
That's how I created a small module in ruby, called axis2_lfi_ctf.rb. Below small description:
So now, you can test it independently, as a normal module in Metasploit or you can grab a new version of grabash from my github and check it with other modules as well. Below simple settings when using directly from msfconsole:
So now, let's find out how is it working with current grabash version. During the scan we've found /axis2/ directory. This is an indicator to use our new LFI module:
Indeed, grabash prepared tests for Axis2:
... and now some results:
Remember to use grabash only for legal tests. ;)