hacktricks/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md

# 8009 - Kupima Usalama wa Itifaki ya Apache JServ (AJP)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../.gitbook/assets/image (377).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa zawadi za bug!

**Machapisho ya Kudukua**\
Shiriki na yaliyomo yanayochimba katika msisimko na changamoto za kudukua

**Habari za Kudukua za Wakati Halisi**\
Kaa up-to-date na ulimwengu wa kudukua wenye kasi kupitia habari za wakati halisi na ufahamu

**Matangazo ya Karibuni**\
Baki mwelekezwa na zawadi mpya za bug zinazoanzishwa na sasisho muhimu za jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!

## Taarifa Msingi

Kutoka: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)

> AJP ni itifaki ya waya. Ni toleo lililoboreshwa la itifaki ya HTTP kuruhusu seva ya wavuti ya kujitegemea kama [Apache](http://httpd.apache.org/) kuzungumza na Tomcat. Kihistoria, Apache imekuwa haraka zaidi kuliko Tomcat katika kuhudumia yaliyomo ya msingi. Wazo ni kuruhusu Apache kuhudumia yaliyomo ya msingi inapowezekana, lakini kupeleka ombi kwa Tomcat kwa yaliyomo yanayohusiana na Tomcat.

Pia ni ya kuvutia:

> Itifaki ya ajp13 ni inayoelekezwa kwa pakiti. Muundo wa binary ulichaguliwa dhahiri kuliko maandishi wazi zaidi kwa sababu za utendaji. Seva ya wavuti inawasiliana na chombo cha servlet kupitia uhusiano wa TCP. Ili kupunguza mchakato ghali wa uumbaji wa soketi, seva ya wavuti itajaribu kudumisha uhusiano wa TCP wa kudumu kwa chombo cha servlet, na kutumia tena uhusiano kwa mizunguko ya ombi/jibu mingi. 

**Bandari ya Default:** 8009
```
PORT     STATE SERVICE
8009/tcp open  ajp13
```
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)

Ikiwa bandari ya AJP inaonekana, Tomcat inaweza kuwa na hatari ya kushambuliwa na udhaifu wa Ghostcat. Hapa kuna [kutumia](https://www.exploit-db.com/exploits/48143) ambayo inafanya kazi na shida hii.

Ghostcat ni udhaifu wa LFI, lakini una vikwazo fulani: tu faili kutoka njia fulani zinaweza kuvutwa. Walakini, hii inaweza kujumuisha faili kama `WEB-INF/web.xml` ambayo inaweza kufichua habari muhimu kama siri za kuingia kwenye kiolesura cha Tomcat, kulingana na usanidi wa seva.

Toleo lililosasishwa kuanzia 9.0.31, 8.5.51, na 7.0.100 vimefanya marekebisho ya shida hii.

## Uorodheshaji

### Kiotomatiki
```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
```
### [**Kujaribu nguvu**](../generic-methodologies-and-resources/brute-force.md#ajp)

## AJP Proxy

### Nginx Reverse Proxy & AJP

[Angalia toleo la Dockerized](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)

Tunapokutana na bandari ya AJP proxy wazi (8009 TCP), tunaweza kutumia Nginx na `ajp_module` kufikia Meneja wa Tomcat "uliofichwa". Hii inaweza kufanywa kwa kuchambua msimbo wa chanzo wa Nginx na kuongeza moduli inayohitajika, kama ifuatavyo:

* Pakua msimbo wa chanzo wa Nginx
* Pakua moduli inayohitajika
* Chambua msimbo wa chanzo wa Nginx na `ajp_module`.
* Unda faili ya usanidi inayoashiria kwenye Bandari ya AJP
```bash
# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz

# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
```
```diff
- # server {
- #     listen 80;
- #     server_name example.com;
- #     location / {
- #         proxy_pass http://127.0.0.1:8009;
- #     }
- # }
+     upstream ajp_backend {
+         server 127.0.0.1:8009;
+     }
+
+     server {
+         listen 80;
+         server_name example.com;
+         location / {
+             proxy_pass http://ajp_backend;
+             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+             proxy_set_header Host $http_host;
+             proxy_set_header X-Forwarded-Proto $scheme;
+         }
+     }
```
```shell-session
upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}
```
Anza Nginx na hakikisha kila kitu kinafanya kazi kwa usahihi kwa kutuma ombi la cURL kwa mwenyeji wako wa ndani.
```html
sudo nginx
curl http://127.0.0.1:80

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>
```
### Nginx Imejengwa kwa Docker
```bash
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker
```
Badilisha `TARGET-IP` katika `nginx.conf` na AJP IP kisha jenga na endesha
```bash
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy
```
### Kiunganishi cha Apache AJP

Kukutana na kituo cha wazi cha 8009 bila bandari zingine za wavuti zinazopatikana ni nadra. Walakini, bado inawezekana kuitumia kwa kutumia **Metasploit**. Kwa kutumia **Apache** kama kiunganishi, maombi yanaweza kupelekwa upya kwa **Tomcat** kwenye kituo cha 8009.
```bash
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass       / ajp://HOST:8009/
ProxyPassReverse    / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
```
Hii usanidi hutoa uwezo wa kukiuka mifumo ya kugundua na kuzuia udukuzi (IDS/IPS) kutokana na **asili ya binary ya itifaki ya AJP**, ingawa uwezo huu haujathibitishwa. Kwa kuelekeza shambulio la kawaida la Metasploit kwa Tomcat kwa `127.0.0.1:80`, unaweza kuchukua udhibiti wa mfumo uliolengwa.
```bash
msf  exploit(tomcat_mgr_deploy) > show options
```
## Marejeo

* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module)
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)

<figure><img src="../.gitbook/assets/image (377).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za makosa ya usalama!

**Machapisho ya Udukuzi**\
Shiriki na maudhui yanayochimba kina cha msisimko na changamoto za udukuzi

**Taarifa za Udukuzi za Muda Halisi**\
Kaa sawa na ulimwengu wa udukuzi wenye kasi kupitia taarifa za muda halisi na ufahamu

**Matangazo ya Karibuni**\
Baki mwelekezwa na tuzo mpya za makosa ya usalama zinazoanzishwa na sasisho muhimu za jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!

<details>

<summary><strong>Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJISAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>