mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 09:27:32 +00:00
95 lines
4.4 KiB
Markdown
95 lines
4.4 KiB
Markdown
|
# 8009 - Pentesting Apache JServ Protocol \(AJP\)
|
|||
|
|
|||
|
## Basic Information
|
|||
|
|
|||
|
From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
|
|||
|
|
|||
|
> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
|
|||
|
|
|||
|
Also interesting:
|
|||
|
|
|||
|
> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles
|
|||
|
|
|||
|
**Default port:** 8009
|
|||
|
|
|||
|
```text
|
|||
|
PORT STATE SERVICE
|
|||
|
8009/tcp open ajp13
|
|||
|
```
|
|||
|
|
|||
|
## Apache AJP Proxy
|
|||
|
|
|||
|
It’s not often that you encounter port 8009 open and port 8080,8180,8443 or 80 closed but it happens. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can \(ab\)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that \(read it first\), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary.
|
|||
|
|
|||
|
```text
|
|||
|
(apache must already be installed)
|
|||
|
sudo apt-get install libapach2-mod-jk
|
|||
|
sudo vim /etc/apache2/mods-available/jk.conf
|
|||
|
# Where to find workers.properties
|
|||
|
# Update this path to match your conf directory location
|
|||
|
JkWorkersFile /etc/apache2/jk_workers.properties
|
|||
|
# Where to put jk logs
|
|||
|
# Update this path to match your logs directory location
|
|||
|
JkLogFile /var/log/apache2/mod_jk.log
|
|||
|
# Set the jk log level [debug/error/info]
|
|||
|
JkLogLevel info
|
|||
|
# Select the log format
|
|||
|
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
|
|||
|
# JkOptions indicate to send SSL KEY SIZE,
|
|||
|
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
|
|||
|
# JkRequestLogFormat set the request format
|
|||
|
JkRequestLogFormat "%w %V %T"
|
|||
|
# Shm log file
|
|||
|
JkShmFile /var/log/apache2/jk-runtime-status
|
|||
|
sudo ln -s /etc/apache2/mods-available/jk.conf /etc/apache2/mods-enabled/jk.conf
|
|||
|
sudo vim /etc/apache2/jk_workers.properties
|
|||
|
# Define 1 real worker named ajp13
|
|||
|
worker.list=ajp13
|
|||
|
# Set properties for worker named ajp13 to use ajp13 protocol,
|
|||
|
# and run on port 8009
|
|||
|
worker.ajp13.type=ajp13
|
|||
|
worker.ajp13.host=localhost
|
|||
|
worker.ajp13.port=8009
|
|||
|
worker.ajp13.lbfactor=50
|
|||
|
worker.ajp13.cachesize=10
|
|||
|
worker.ajp13.cache_timeout=600
|
|||
|
worker.ajp13.socket_keepalive=1
|
|||
|
worker.ajp13.socket_timeout=300
|
|||
|
sudo vim /etc/apache2/sites-enabled/000-default
|
|||
|
JkMount /* ajp13
|
|||
|
JkMount /manager/ ajp13
|
|||
|
JkMount /manager/* ajp13
|
|||
|
JkMount /host-manager/ ajp13
|
|||
|
JkMount /host-manager/* ajp13
|
|||
|
sudo a2enmod proxy_ajp
|
|||
|
sudo a2enmod proxy_http
|
|||
|
sudo /etc/init.d/apache2 restart
|
|||
|
```
|
|||
|
|
|||
|
Don’t forget to adjust _worker.ajp13.host_ to the correct host. A nice side effect of using this setup is that you might thwart IDS/IPS systems in place since the AJP protocol is somewhat binary, but I haven’t verified this. Now you can just point your regular metasploit tomcat exploit to 127.0.0.1:80 and take over that system. Here is the metasploit output also:
|
|||
|
|
|||
|
```text
|
|||
|
msf exploit(tomcat_mgr_deploy) > show options
|
|||
|
|
|||
|
Module options (exploit/multi/http/tomcat_mgr_deploy):
|
|||
|
|
|||
|
Name Current Setting Required Description
|
|||
|
---- --------------- -------- -----------
|
|||
|
PASSWORD tomcat no The password for the specified username
|
|||
|
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
|
|||
|
Proxies no Use a proxy chain
|
|||
|
RHOST localhost yes The target address
|
|||
|
RPORT 80 yes The target port
|
|||
|
USERNAME tomcat no The username to authenticate as
|
|||
|
VHOST no HTTP server virtual host
|
|||
|
```
|
|||
|
|
|||
|
### Enumeration
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
|
|||
|
```
|
|||
|
|
|||
|
### \*\*\*\*[**Brute force**](../brute-force.md#ajp)\*\*\*\*
|
|||
|
|