mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
156 lines
6.8 KiB
Markdown
156 lines
6.8 KiB
Markdown
|
# 8009 - Pentesting Apache JServ Protocol (AJP)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||
|
|
||
|
**Hacking Insights**\
|
||
|
Engage with content that delves into the thrill and challenges of hacking
|
||
|
|
||
|
**Real-Time Hack News**\
|
||
|
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
||
|
|
||
|
**Latest Announcements**\
|
||
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
||
|
|
||
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
||
|
|
||
|
## Basic Information
|
||
|
|
||
|
From [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
|
||
|
|
||
|
> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
|
||
|
|
||
|
Also interesting:
|
||
|
|
||
|
> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles
|
||
|
|
||
|
**Default port:** 8009
|
||
|
|
||
|
```
|
||
|
PORT STATE SERVICE
|
||
|
8009/tcp open ajp13
|
||
|
```
|
||
|
|
||
|
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
|
||
|
|
||
|
This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it.
|
||
|
|
||
|
The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100.
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### Automatic
|
||
|
|
||
|
```bash
|
||
|
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
|
||
|
```
|
||
|
|
||
|
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#ajp)
|
||
|
|
||
|
## AJP Proxy
|
||
|
|
||
|
### Nginx Reverse Proxy + AJP
|
||
|
|
||
|
([Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version))
|
||
|
|
||
|
It's possible to communicate with an open AJP proxy port (8009 TCP) by using the Nginx `ajp_module` apache module and access the Tomat Manager from this port which could ultimately lead to RCE in the vulnerable server.
|
||
|
|
||
|
* Start downloading Nginx from [https://nginx.org/en/download.html](https://nginx.org/en/download.html) and then compile it with the ajp module:
|
||
|
|
||
|
```bash
|
||
|
# Compile Nginx with the ajp module
|
||
|
git clone https://github.com/dvershinin/nginx_ajp_module.git
|
||
|
cd nginx-version
|
||
|
sudo apt install libpcre3-dev
|
||
|
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
|
||
|
make
|
||
|
sudo make install
|
||
|
nginx -V
|
||
|
```
|
||
|
|
||
|
* Then, comment the `server` block and add the following in the `http` block in `/etc/nginx/conf/nginx.conf`.
|
||
|
|
||
|
```json
|
||
|
upstream tomcats {
|
||
|
server <TARGET_SERVER>:8009;
|
||
|
keepalive 10;
|
||
|
}
|
||
|
server {
|
||
|
listen 80;
|
||
|
location / {
|
||
|
ajp_keep_conn on;
|
||
|
ajp_pass tomcats;
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
* Finally, start nginx (`sudo nginx`) and check it works by accessing `http://127.0.0.1`
|
||
|
|
||
|
### Nginx Dockerized-version
|
||
|
|
||
|
```bash
|
||
|
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
|
||
|
cd nginx-ajp-docker
|
||
|
```
|
||
|
|
||
|
Replace `TARGET-IP` in `nginx.conf` witg AJP IP then build and run
|
||
|
|
||
|
```bash
|
||
|
docker build . -t nginx-ajp-proxy
|
||
|
docker run -it --rm -p 80:80 nginx-ajp-proxy
|
||
|
```
|
||
|
|
||
|
### Apache AJP Proxy
|
||
|
|
||
|
It's also possible to use an **Apache AJP proxy** to access that port instead of **Nginx**.
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx_ajp_module)
|
||
|
|
||
|
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||
|
|
||
|
**Hacking Insights**\
|
||
|
Engage with content that delves into the thrill and challenges of hacking
|
||
|
|
||
|
**Real-Time Hack News**\
|
||
|
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
||
|
|
||
|
**Latest Announcements**\
|
||
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
||
|
|
||
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|