hacktricks/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md

# 8009 - Pentesting Apache JServ Protocol (AJP)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## Basic Information

From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)

> AJP é um protocolo de rede. É uma versão otimizada do protocolo HTTP para permitir que um servidor web autônomo, como o [Apache](http://httpd.apache.org/), se comunique com o Tomcat. Historicamente, o Apache tem sido muito mais rápido que o Tomcat ao servir conteúdo estático. A ideia é permitir que o Apache sirva o conteúdo estático sempre que possível, mas faça proxy da solicitação para o Tomcat para conteúdo relacionado ao Tomcat.

Also interesting:

> O protocolo ajp13 é orientado a pacotes. Um formato binário foi presumivelmente escolhido em vez do texto simples mais legível por razões de desempenho. O servidor web se comunica com o contêiner de servlets por meio de conexões TCP. Para reduzir o caro processo de criação de soquetes, o servidor web tentará manter conexões TCP persistentes com o contêiner de servlets e reutilizar uma conexão para múltiplos ciclos de solicitação/resposta.

**Default port:** 8009
```
PORT     STATE SERVICE
8009/tcp open  ajp13
```
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)

Se a porta AJP estiver exposta, o Tomcat pode ser suscetível à vulnerabilidade Ghostcat. Aqui está um [exploit](https://www.exploit-db.com/exploits/48143) que funciona com esse problema.

Ghostcat é uma vulnerabilidade LFI, mas um tanto restrita: apenas arquivos de um determinado caminho podem ser acessados. No entanto, isso pode incluir arquivos como `WEB-INF/web.xml`, que podem vazar informações importantes, como credenciais para a interface do Tomcat, dependendo da configuração do servidor.

Versões corrigidas a partir de 9.0.31, 8.5.51 e 7.0.100 resolveram esse problema.

## Enumeração

### Automático
```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
```
### [**Força bruta**](../generic-methodologies-and-resources/brute-force.md#ajp)

## Proxy AJP

### Nginx Reverse Proxy & AJP

[Confira a versão Dockerizada](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)

Quando encontramos uma porta de proxy AJP aberta (8009 TCP), podemos usar o Nginx com o `ajp_module` para acessar o "gerenciador" Tomcat oculto. Isso pode ser feito compilando o código-fonte do Nginx e adicionando o módulo necessário, da seguinte forma:

* Baixe o código-fonte do Nginx
* Baixe o módulo necessário
* Compile o código-fonte do Nginx com o `ajp_module`.
* Crie um arquivo de configuração apontando para a porta AJP
```bash
# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz

# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
```
Comente todo o bloco `server` e adicione as seguintes linhas dentro do bloco `http` em `/etc/nginx/conf/nginx.conf`.
```shell-session
upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}
```
Inicie o Nginx e verifique se tudo está funcionando corretamente emitindo uma solicitação cURL para o seu host local.
```html
sudo nginx
curl http://127.0.0.1:80

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>
```
### Nginx versão Dockerizada
```bash
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker
```
Substitua `TARGET-IP` em `nginx.conf` pelo IP AJP e, em seguida, construa e execute.
```bash
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy
```
### Apache AJP Proxy

Encontrar uma porta 8009 aberta sem outras portas web acessíveis é raro. No entanto, ainda é possível explorá-la usando **Metasploit**. Ao aproveitar **Apache** como um proxy, as solicitações podem ser redirecionadas para **Tomcat** na porta 8009.
```bash
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass       / ajp://HOST:8009/
ProxyPassReverse    / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
```
Esta configuração oferece o potencial de contornar sistemas de detecção e prevenção de intrusões (IDS/IPS) devido à **natureza binária do protocolo AJP**, embora essa capacidade não tenha sido verificada. Ao direcionar um exploit regular do Metasploit Tomcat para `127.0.0.1:80`, você pode efetivamente assumir o controle do sistema alvo.
```bash
msf  exploit(tomcat_mgr_deploy) > show options
```
## Referências

* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module)
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Junte-se ao [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) para se comunicar com hackers experientes e caçadores de bugs!

**Insights de Hacking**\
Engaje-se com conteúdo que mergulha na emoção e nos desafios do hacking

**Notícias de Hack em Tempo Real**\
Mantenha-se atualizado com o mundo do hacking em ritmo acelerado através de notícias e insights em tempo real

**Últimos Anúncios**\
Fique informado sobre as novas recompensas de bugs lançadas e atualizações cruciais da plataforma

**Junte-se a nós no** [**Discord**](https://discord.com/invite/N3FrSbmwdy) e comece a colaborar com os melhores hackers hoje!

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Suporte ao HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`# 8009 - Pentesting Apache JServ Protocol (AJP)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`<summary>Support HackTricks</summary>`
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			`<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>`
new link 2022-11-05 09:07:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Join [HackenProof Discord](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!`
hp 2023-02-27 09:28:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Hacking Insights\`
			`Engage with content that delves into the thrill and challenges of hacking`
hp 2023-02-27 09:28:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Real-Time Hack News\`
			`Keep up-to-date with fast-paced hacking world through real-time news and insights`
hp 2023-02-27 09:28:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Latest Announcements\`
			`Stay informed with the newest bug bounties launching and crucial platform updates`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Join us on [Discord](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!`
new link 2022-11-05 09:07:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`## Basic Information`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`> AJP é um protocolo de rede. É uma versão otimizada do protocolo HTTP para permitir que um servidor web autônomo, como o [Apache](http://httpd.apache.org/), se comunique com o Tomcat. Historicamente, o Apache tem sido muito mais rápido que o Tomcat ao servir conteúdo estático. A ideia é permitir que o Apache sirva o conteúdo estático sempre que possível, mas faça proxy da solicitação para o Tomcat para conteúdo relacionado ao Tomcat.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Also interesting:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`> O protocolo ajp13 é orientado a pacotes. Um formato binário foi presumivelmente escolhido em vez do texto simples mais legível por razões de desempenho. O servidor web se comunica com o contêiner de servlets por meio de conexões TCP. Para reduzir o caro processo de criação de soquetes, o servidor web tentará manter conexões TCP persistentes com o contêiner de servlets e reutilizar uma conexão para múltiplos ciclos de solicitação/resposta.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Default port: 8009`
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`PORT STATE SERVICE`
			`8009/tcp open ajp13`
			```
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			`## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)`
Update 8009-pentesting-apache-jserv-protocol-ajp.md Added information about Ghostcat, which I ran into on a recent CTF box. 2021-04-27 04:58:23 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Se a porta AJP estiver exposta, o Tomcat pode ser suscetível à vulnerabilidade Ghostcat. Aqui está um [exploit](https://www.exploit-db.com/exploits/48143) que funciona com esse problema.`
Update 8009-pentesting-apache-jserv-protocol-ajp.md Added information about Ghostcat, which I ran into on a recent CTF box. 2021-04-27 04:58:23 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			Ghostcat é uma vulnerabilidade LFI, mas um tanto restrita: apenas arquivos de um determinado caminho podem ser acessados. No entanto, isso pode incluir arquivos como `WEB-INF/web.xml`, que podem vazar informações importantes, como credenciais para a interface do Tomcat, dependendo da configuração do servidor.
Update 8009-pentesting-apache-jserv-protocol-ajp.md Added information about Ghostcat, which I ran into on a recent CTF box. 2021-04-27 04:58:23 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Versões corrigidas a partir de 9.0.31, 8.5.51 e 7.0.100 resolveram esse problema.`
Update 8009-pentesting-apache-jserv-protocol-ajp.md Added information about Ghostcat, which I ran into on a recent CTF box. 2021-04-27 04:58:23 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Enumeração`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`### Automático`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			```bash
			`nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>`
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`### [Força bruta](../generic-methodologies-and-resources/brute-force.md#ajp)`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Proxy AJP`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`### Nginx Reverse Proxy & AJP`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`[Confira a versão Dockerizada](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)`
Translated ['network-services-pentesting/8009-pentesting-apache-jserv-pr 2023-09-11 00:07:36 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			Quando encontramos uma porta de proxy AJP aberta (8009 TCP), podemos usar o Nginx com o `ajp_module` para acessar o "gerenciador" Tomcat oculto. Isso pode ser feito compilando o código-fonte do Nginx e adicionando o módulo necessário, da seguinte forma:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Baixe o código-fonte do Nginx`
			`* Baixe o módulo necessário`
			* Compile o código-fonte do Nginx com o `ajp_module`.
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00			`* Crie um arquivo de configuração apontando para a porta AJP`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			`# Download Nginx code`
			`wget https://nginx.org/download/nginx-1.21.3.tar.gz`
			`tar -xzvf nginx-1.21.3.tar.gz`

			`# Compile Nginx source code with the ajp module`
			`git clone https://github.com/dvershinin/nginx_ajp_module.git`
			`cd nginx-1.21.3`
			`sudo apt install libpcre3-dev`
			./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
			`make`
			`sudo make install`
			`nginx -V`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			Comente todo o bloco `server` e adicione as seguintes linhas dentro do bloco `http` em `/etc/nginx/conf/nginx.conf`.
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			```shell-session
			`upstream tomcats {`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00			`server <TARGET_SERVER>:8009;`
			`keepalive 10;`
			`}`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			`server {`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00			`listen 80;`
			`location / {`
			`ajp_keep_conn on;`
			`ajp_pass tomcats;`
			`}`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			`}`
			```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00			`Inicie o Nginx e verifique se tudo está funcionando corretamente emitindo uma solicitação cURL para o seu host local.`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			```html
			`sudo nginx`
			`curl http://127.0.0.1:80`

			`<!DOCTYPE html>`
			`<html lang="en">`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00			`<head>`
			`<meta charset="UTF-8" />`
			`<title>Apache Tomcat/X.X.XX</title>`
			`<link href="favicon.ico" rel="icon" type="image/x-icon" />`
			`<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />`
			`<link href="tomcat.css" rel="stylesheet" type="text/css" />`
			`</headas`
			`<body>`
			`<div id="wrapper">`
			`<div id="navigation" class="curved container">`
			`<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>`
			`<span id="nav-hosts"><a href="/docs/">Documentation</a></span>`
			`<span id="nav-config"><a href="/docs/config/">Configuration</a></span>`
			`<span id="nav-examples"><a href="/examples/">Examples</a></span>`
			`<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>`
			`<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>`
			`<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>`
			`<br class="separator" />`
			`</div>`
			`<div id="asf-box">`
			`<h1>Apache Tomcat/X.X.XX</h1>`
			`</div>`
			`<div id="upper" class="curved container">`
			`<div id="congrats" class="curved container">`
			`<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			`<SNIP>`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`### Nginx versão Dockerizada`
Translated ['network-services-pentesting/8009-pentesting-apache-jserv-pr 2023-09-11 00:07:36 +00:00			```bash
			`git clone https://github.com/ScribblerCoder/nginx-ajp-docker`
			`cd nginx-ajp-docker`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			Substitua `TARGET-IP` em `nginx.conf` pelo IP AJP e, em seguida, construa e execute.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			```bash
Translated ['network-services-pentesting/8009-pentesting-apache-jserv-pr 2023-09-11 00:07:36 +00:00			`docker build . -t nginx-ajp-proxy`
			`docker run -it --rm -p 80:80 nginx-ajp-proxy`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`### Apache AJP Proxy`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Encontrar uma porta 8009 aberta sem outras portas web acessíveis é raro. No entanto, ainda é possível explorá-la usando Metasploit. Ao aproveitar Apache como um proxy, as solicitações podem ser redirecionadas para Tomcat na porta 8009.`
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00			```bash
			`sudo apt-get install libapache2-mod-jk`
			`sudo vim /etc/apache2/apache2.conf # append the following line to the config`
			`Include ajp.conf`
			`sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address`
			`ProxyRequests Off`
			`<Proxy *>`
			`Order deny,allow`
			`Deny from all`
			`Allow from localhost`
			`</Proxy>`
			`ProxyPass / ajp://HOST:8009/`
			`ProxyPassReverse / ajp://HOST:8009/`
			`sudo a2enmod proxy_http`
			`sudo a2enmod proxy_ajp`
			`sudo systemctl restart apache2`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			Esta configuração oferece o potencial de contornar sistemas de detecção e prevenção de intrusões (IDS/IPS) devido à natureza binária do protocolo AJP, embora essa capacidade não tenha sido verificada. Ao direcionar um exploit regular do Metasploit Tomcat para `127.0.0.1:80`, você pode efetivamente assumir o controle do sistema alvo.
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00			```bash
			`msf exploit(tomcat_mgr_deploy) > show options`
			```
			`## Referências`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00
			`* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module)`
GitBook: [#3540] No subject 2022-10-03 13:43:01 +00:00			`* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			`<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>`
new link 2022-11-05 09:07:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Junte-se ao [HackenProof Discord](https://discord.com/invite/N3FrSbmwdy) para se comunicar com hackers experientes e caçadores de bugs!`
hp 2023-02-27 09:28:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Insights de Hacking\`
			`Engaje-se com conteúdo que mergulha na emoção e nos desafios do hacking`
hp 2023-02-27 09:28:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Notícias de Hack em Tempo Real\`
			`Mantenha-se atualizado com o mundo do hacking em ritmo acelerado através de notícias e insights em tempo real`
hp 2023-02-27 09:28:45 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00			`Últimos Anúncios\`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`Fique informado sobre as novas recompensas de bugs lançadas e atualizações cruciais da plataforma`
Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil 2023-07-14 16:02:10 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00			`Junte-se a nós no [Discord](https://discord.com/invite/N3FrSbmwdy) e comece a colaborar com os melhores hackers hoje!`
new link 2022-11-05 09:07:43 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`<details>`
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes 2024-02-09 12:48:36 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`<summary>Suporte ao HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:31:17 +00:00			`{% endhint %}`