2024-02-09 12:48:25 +00:00
# 8009 - 渗透测试 Apache JServ 协议 (AJP)
2022-04-28 16:01:33 +00:00
< details >
2024-02-09 12:48:25 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-09 12:48:25 +00:00
支持 HackTricks 的其他方式:
2022-04-28 16:01:33 +00:00
2024-05-05 22:03:00 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2024-02-09 12:48:25 +00:00
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
2024-05-05 22:03:00 +00:00
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )** 上关注**我们。
2024-02-09 12:48:25 +00:00
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
2024-02-09 12:48:25 +00:00
< / details >
2022-11-05 09:07:43 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (380).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-02-27 09:28:45 +00:00
2024-02-09 12:48:25 +00:00
加入 [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) 服务器,与经验丰富的黑客和赏金猎人交流!
2023-02-27 09:28:45 +00:00
2024-02-09 12:48:25 +00:00
**黑客见解**\
参与深入探讨黑客的刺激和挑战的内容
2023-02-27 09:28:45 +00:00
2024-02-09 12:48:25 +00:00
**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界
2023-07-14 15:03:41 +00:00
2024-02-09 12:48:25 +00:00
**最新公告**\
2024-05-05 22:03:00 +00:00
随时了解最新的赏金计划发布和重要平台更新
2023-07-14 15:03:41 +00:00
2024-02-09 12:48:25 +00:00
**加入我们的** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ),立即与顶尖黑客合作!
2022-11-05 09:07:43 +00:00
2023-08-03 19:12:22 +00:00
## 基本信息
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
来源:[https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
> AJP 是一种传输协议。它是 HTTP 协议的优化版本,允许独立的 Web 服务器(如 [Apache](http://httpd.apache.org/))与 Tomcat 进行通信。在历史上,
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
另外有趣的是:
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
> ajp13 协议是基于数据包的。出于性能原因, ,
2020-07-15 15:43:14 +00:00
2024-02-09 12:48:25 +00:00
**默认端口:** 8009
2022-05-01 13:25:53 +00:00
```
2020-07-15 15:43:14 +00:00
PORT STATE SERVICE
8009/tcp open ajp13
```
2022-05-01 13:25:53 +00:00
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
2021-04-27 04:58:23 +00:00
2024-05-05 22:03:00 +00:00
如果AJP端口暴露,
2021-04-27 04:58:23 +00:00
2024-05-05 22:03:00 +00:00
Ghostcat是一个LFI漏洞, : , , ,
2021-04-27 04:58:23 +00:00
2024-02-09 12:48:25 +00:00
修补版本为9.0.31或更高版本,
2021-04-27 04:58:23 +00:00
2023-08-03 19:12:22 +00:00
## 枚举
2020-07-15 15:43:14 +00:00
2024-02-09 12:48:25 +00:00
### 自动化
2022-10-03 13:43:01 +00:00
```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 < IP >
2022-05-01 13:25:53 +00:00
```
2023-08-03 19:12:22 +00:00
### [**暴力破解**](../generic-methodologies-and-resources/brute-force.md#ajp)
2022-10-03 13:43:01 +00:00
2024-02-09 12:48:25 +00:00
## AJP 代理
2022-10-03 13:43:01 +00:00
2024-02-09 12:48:25 +00:00
### Nginx 反向代理 & AJP
2022-10-03 13:43:01 +00:00
2024-05-05 22:03:00 +00:00
[查看 Docker 化版本 ](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version )
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
当我们遇到一个开放的 AJP 代理端口( ) , `ajp_module` 的 Nginx 来访问“隐藏”的 Tomcat 管理器。这可以通过编译 Nginx 源代码并添加所需的模块来实现,具体步骤如下:
2023-09-11 00:08:00 +00:00
2024-02-09 12:48:25 +00:00
* 下载 Nginx 源代码
2023-08-03 19:12:22 +00:00
* 下载所需的模块
2024-02-09 12:48:25 +00:00
* 使用 `ajp_module` 编译 Nginx 源代码。
* 创建一个指向 AJP 端口的配置文件
2020-07-15 15:43:14 +00:00
```bash
2022-10-03 13:43:01 +00:00
# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz
# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
2020-07-15 15:43:14 +00:00
```
2024-05-05 22:03:00 +00:00
```diff
-# server {
-# listen 80;
-# server_name example.com;
-# location / {
-# proxy_pass http://127.0.0.1:8009;
-# }
-# }
+# server {
+# listen 80;
+# server_name example.com;
+# location / {
+# proxy_pass http://127.0.0.1:8009;
+# }
+# }
```
2022-10-03 13:43:01 +00:00
```shell-session
upstream tomcats {
2023-08-03 19:12:22 +00:00
server < TARGET_SERVER > :8009;
keepalive 10;
}
2022-10-03 13:43:01 +00:00
server {
2023-08-03 19:12:22 +00:00
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
2022-10-03 13:43:01 +00:00
}
```
2024-05-05 22:03:00 +00:00
启动 Nginx 并通过向本地主机发出 cURL 请求来检查一切是否正常工作。
2022-10-03 13:43:01 +00:00
```html
sudo nginx
curl http://127.0.0.1:80
<!DOCTYPE html>
< html lang = "en" >
2023-08-03 19:12:22 +00:00
< head >
< meta charset = "UTF-8" / >
< title > Apache Tomcat/X.X.XX< / title >
< link href = "favicon.ico" rel = "icon" type = "image/x-icon" / >
< link href = "favicon.ico" rel = "shortcut icon" type = "image/x-icon" / >
< link href = "tomcat.css" rel = "stylesheet" type = "text/css" / >
< /headas
< body >
< div id = "wrapper" >
< div id = "navigation" class = "curved container" >
< span id = "nav-home" > < a href = "https://tomcat.apache.org/" > Home< / a > < / span >
< span id = "nav-hosts" > < a href = "/docs/" > Documentation< / a > < / span >
< span id = "nav-config" > < a href = "/docs/config/" > Configuration< / a > < / span >
< span id = "nav-examples" > < a href = "/examples/" > Examples< / a > < / span >
< span id = "nav-wiki" > < a href = "https://wiki.apache.org/tomcat/FrontPage" > Wiki< / a > < / span >
< span id = "nav-lists" > < a href = "https://tomcat.apache.org/lists.html" > Mailing Lists< / a > < / span >
< span id = "nav-help" > < a href = "https://tomcat.apache.org/findhelp.html" > Find Help< / a > < / span >
< br class = "separator" / >
< / div >
< div id = "asf-box" >
< h1 > Apache Tomcat/X.X.XX< / h1 >
< / div >
< div id = "upper" class = "curved container" >
< div id = "congrats" class = "curved container" >
< h2 > If you're seeing this, you've successfully installed Tomcat. Congratulations!< / h2 >
2022-10-03 13:43:01 +00:00
< SNIP >
```
2024-02-09 12:48:25 +00:00
### Nginx Docker化版本
2023-09-11 00:08:00 +00:00
```bash
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker
```
2024-05-05 22:03:00 +00:00
替换`nginx.conf`中的`TARGET-IP`为AJP IP,
```bash
2023-09-11 00:08:00 +00:00
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy
```
2024-02-09 12:48:25 +00:00
### Apache AJP 代理
2022-04-28 16:01:33 +00:00
2024-05-05 22:03:00 +00:00
遇到只有 8009 端口开放而没有其他可访问的 web 端口是罕见的。然而,仍然可以利用 **Metasploit** 来利用它。通过利用 **Apache** 作为代理,请求可以被重定向到端口 8009 上的 **Tomcat** 。
2024-02-09 12:48:25 +00:00
```bash
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address
ProxyRequests Off
< Proxy * >
Order deny,allow
Deny from all
Allow from localhost
< / Proxy >
ProxyPass / ajp://HOST:8009/
ProxyPassReverse / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
```
2024-05-05 22:03:00 +00:00
这种设置具有绕过入侵检测和防范系统( ) , ,
2024-02-09 12:48:25 +00:00
```bash
msf exploit(tomcat_mgr_deploy) > show options
```
## 参考资料
2024-05-05 22:03:00 +00:00
* [https://github.com/yaoweibin/nginx\_ajp\_module ](https://github.com/yaoweibin/nginx\_ajp\_module )
2022-10-03 13:43:01 +00:00
* [https://academy.hackthebox.com/module/145/section/1295 ](https://academy.hackthebox.com/module/145/section/1295 )
2022-04-28 16:01:33 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (380).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-07-14 15:03:41 +00:00
2024-05-05 22:03:00 +00:00
加入 [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) 服务器,与经验丰富的黑客和赏金猎人交流!
2023-07-14 15:03:41 +00:00
2024-02-09 12:48:25 +00:00
**黑客见解**\
2024-05-05 22:03:00 +00:00
参与深入探讨黑客活动的刺激和挑战的内容
2022-11-05 09:07:43 +00:00
2024-02-09 12:48:25 +00:00
**实时黑客新闻**\
通过实时新闻和见解及时了解快节奏的黑客世界
2023-02-27 09:28:45 +00:00
2024-02-09 12:48:25 +00:00
**最新公告**\
2024-05-05 22:03:00 +00:00
了解最新的赏金任务发布和重要平台更新
2023-02-27 09:28:45 +00:00
2024-05-05 22:03:00 +00:00
**加入我们的** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ) 并开始与顶尖黑客合作吧!
2022-11-05 09:07:43 +00:00
2022-10-03 13:43:01 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-05-05 22:03:00 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( < / strong > < / a > < strong > ! < / strong > < / summary >
2024-02-09 12:48:25 +00:00
2024-05-05 22:03:00 +00:00
支持 HackTricks 的其他方式:
2022-04-28 16:01:33 +00:00
2024-05-05 22:03:00 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版本的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )** 上关注我们**。
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
