# 8009 - Pentesting Apache JServ Protocol (AJP) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! **Hacking Insights**\ Engage with content that delves into the thrill and challenges of hacking **Real-Time Hack News**\ Keep up-to-date with fast-paced hacking world through real-time news and insights **Latest Announcements**\ Stay informed with the newest bug bounties launching and crucial platform updates **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! ## κΈ°λ³Έ 정보 From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) > AJPλŠ” 전솑 ν”„λ‘œν† μ½œμž…λ‹ˆλ‹€. λ…λ¦½ν˜• μ›Ή μ„œλ²„μΈ [Apache](http://httpd.apache.org/)κ°€ Tomcatκ³Ό 톡신할 수 μžˆλ„λ‘ HTTP ν”„λ‘œν† μ½œμ˜ μ΅œμ ν™”λœ λ²„μ „μž…λ‹ˆλ‹€. μ—­μ‚¬μ μœΌλ‘œ ApacheλŠ” 정적 μ½˜ν…μΈ λ₯Ό μ œκ³΅ν•˜λŠ” 데 Tomcat보닀 훨씬 λΉ λ¦…λ‹ˆλ‹€. μ•„μ΄λ””μ–΄λŠ” κ°€λŠ₯ν•œ 경우 Apacheκ°€ 정적 μ½˜ν…μΈ λ₯Ό μ œκ³΅ν•˜κ³ , Tomcat κ΄€λ ¨ μ½˜ν…μΈ μ— λŒ€ν•΄μ„œλŠ” μš”μ²­μ„ Tomcat으둜 ν”„λ‘μ‹œν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€. λ˜ν•œ ν₯미둜운 점: > ajp13 ν”„λ‘œν† μ½œμ€ νŒ¨ν‚· 지ν–₯μž…λ‹ˆλ‹€. μ„±λŠ₯μƒμ˜ 이유둜 더 읽기 μ‰¬μš΄ 일반 ν…μŠ€νŠΈλ³΄λ‹€ 이진 ν˜•μ‹μ΄ μ„ νƒλœ κ²ƒμœΌλ‘œ λ³΄μž…λ‹ˆλ‹€. μ›Ή μ„œλ²„λŠ” TCP 연결을 톡해 μ„œλΈ”λ¦Ώ μ»¨ν…Œμ΄λ„ˆμ™€ ν†΅μ‹ ν•©λ‹ˆλ‹€. μ†ŒμΌ“ μƒμ„±μ˜ λΉ„μ‹Ό ν”„λ‘œμ„ΈμŠ€λ₯Ό 쀄이기 μœ„ν•΄ μ›Ή μ„œλ²„λŠ” μ„œλΈ”λ¦Ώ μ»¨ν…Œμ΄λ„ˆμ— λŒ€ν•œ 지속적인 TCP 연결을 μœ μ§€ν•˜κ³  μ—¬λŸ¬ μš”μ²­/응닡 μ£ΌκΈ°λ₯Ό μœ„ν•΄ 연결을 μž¬μ‚¬μš©ν•˜λ €κ³  μ‹œλ„ν•©λ‹ˆλ‹€. **κΈ°λ³Έ 포트:** 8009 ``` PORT STATE SERVICE 8009/tcp open ajp13 ``` ## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat) AJP ν¬νŠΈκ°€ λ…ΈμΆœλ˜λ©΄ Tomcat은 Ghostcat 취약점에 λ…ΈμΆœλ  수 μžˆμŠ΅λ‹ˆλ‹€. 이 λ¬Έμ œμ™€ κ΄€λ ¨λœ [μ΅μŠ€ν”Œλ‘œμž‡](https://www.exploit-db.com/exploits/48143)이 μžˆμŠ΅λ‹ˆλ‹€. Ghostcat은 LFI μ·¨μ•½μ μ΄μ§€λ§Œ λ‹€μ†Œ μ œν•œμ μž…λ‹ˆλ‹€: νŠΉμ • 경둜의 파일만 κ°€μ Έμ˜¬ 수 μžˆμŠ΅λ‹ˆλ‹€. κ·ΈλŸΌμ—λ„ λΆˆκ΅¬ν•˜κ³ , μ΄λŠ” μ„œλ²„ 섀정에 따라 Tomcat μΈν„°νŽ˜μ΄μŠ€μ˜ 자격 증λͺ…κ³Ό 같은 μ€‘μš”ν•œ 정보λ₯Ό μœ μΆœν•  수 μžˆλŠ” `WEB-INF/web.xml`κ³Ό 같은 νŒŒμΌμ„ 포함할 수 μžˆμŠ΅λ‹ˆλ‹€. 9.0.31, 8.5.51 및 7.0.100 μ΄μƒμ˜ 패치된 λ²„μ „μ—μ„œ 이 λ¬Έμ œκ°€ μˆ˜μ •λ˜μ—ˆμŠ΅λ‹ˆλ‹€. ## Enumeration ### Automatic ```bash nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ``` ### [**브루트 포슀**](../generic-methodologies-and-resources/brute-force.md#ajp) ## AJP ν”„λ‘μ‹œ ### Nginx λ¦¬λ²„μŠ€ ν”„λ‘μ‹œ & AJP [λ„μ»€ν™”λœ 버전 ν™•μΈν•˜κΈ°](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version) μ—΄λ¦° AJP ν”„λ‘μ‹œ 포트(8009 TCP)λ₯Ό λ°œκ²¬ν•˜λ©΄, `ajp_module`을 μ‚¬μš©ν•˜μ—¬ Nginx둜 "μˆ¨κ²¨μ§„" Tomcat Manager에 μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” Nginx μ†ŒμŠ€ μ½”λ“œλ₯Ό μ»΄νŒŒμΌν•˜κ³  ν•„μš”ν•œ λͺ¨λ“ˆμ„ μΆ”κ°€ν•˜μ—¬ μˆ˜ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€: * Nginx μ†ŒμŠ€ μ½”λ“œ λ‹€μš΄λ‘œλ“œ * ν•„μš”ν•œ λͺ¨λ“ˆ λ‹€μš΄λ‘œλ“œ * `ajp_module`κ³Ό ν•¨κ»˜ Nginx μ†ŒμŠ€ μ½”λ“œ 컴파일 * AJP 포트λ₯Ό κ°€λ¦¬ν‚€λŠ” ꡬ성 파일 생성 ```bash # Download Nginx code wget https://nginx.org/download/nginx-1.21.3.tar.gz tar -xzvf nginx-1.21.3.tar.gz # Compile Nginx source code with the ajp module git clone https://github.com/dvershinin/nginx_ajp_module.git cd nginx-1.21.3 sudo apt install libpcre3-dev ./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules make sudo make install nginx -V ``` `server` 블둝 전체λ₯Ό 주석 μ²˜λ¦¬ν•˜κ³  `/etc/nginx/conf/nginx.conf`의 `http` 블둝 μ•ˆμ— λ‹€μŒ 쀄을 μΆ”κ°€ν•©λ‹ˆλ‹€. ```shell-session upstream tomcats { server :8009; keepalive 10; } server { listen 80; location / { ajp_keep_conn on; ajp_pass tomcats; } } ``` Nginxλ₯Ό μ‹œμž‘ν•˜κ³  둜컬 ν˜ΈμŠ€νŠΈμ— cURL μš”μ²­μ„ λ°œν–‰ν•˜μ—¬ λͺ¨λ“  것이 μ˜¬λ°”λ₯΄κ²Œ μž‘λ™ν•˜λŠ”μ§€ ν™•μΈν•˜μ‹­μ‹œμ˜€. ```html sudo nginx curl http://127.0.0.1:80 Apache Tomcat/X.X.XX

Apache Tomcat/X.X.XX

If you're seeing this, you've successfully installed Tomcat. Congratulations!

``` ### Nginx 도컀화 버전 ```bash git clone https://github.com/ScribblerCoder/nginx-ajp-docker cd nginx-ajp-docker ``` `nginx.conf`μ—μ„œ `TARGET-IP`λ₯Ό AJP IP둜 κ΅μ²΄ν•œ ν›„ λΉŒλ“œν•˜κ³  μ‹€ν–‰ν•©λ‹ˆλ‹€. ```bash docker build . -t nginx-ajp-proxy docker run -it --rm -p 80:80 nginx-ajp-proxy ``` ### Apache AJP Proxy μ—΄λ € μžˆλŠ” 포트 8009λ₯Ό λ‹€λ₯Έ μ ‘κ·Ό κ°€λŠ₯ν•œ μ›Ή 포트 없이 λ§Œλ‚˜λŠ” 것은 λ“œλ­…λ‹ˆλ‹€. κ·ΈλŸ¬λ‚˜ **Metasploit**을 μ‚¬μš©ν•˜μ—¬ 이λ₯Ό μ•…μš©ν•˜λŠ” 것은 μ—¬μ „νžˆ κ°€λŠ₯ν•©λ‹ˆλ‹€. **Apache**λ₯Ό ν”„λ‘μ‹œλ‘œ ν™œμš©ν•˜μ—¬ μš”μ²­μ„ 포트 8009의 **Tomcat**으둜 λ¦¬λ””λ ‰μ…˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€. ```bash sudo apt-get install libapache2-mod-jk sudo vim /etc/apache2/apache2.conf # append the following line to the config Include ajp.conf sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address ProxyRequests Off Order deny,allow Deny from all Allow from localhost ProxyPass / ajp://HOST:8009/ ProxyPassReverse / ajp://HOST:8009/ sudo a2enmod proxy_http sudo a2enmod proxy_ajp sudo systemctl restart apache2 ``` 이 섀정은 **AJP ν”„λ‘œν† μ½œμ˜ 이진 νŠΉμ„±**으둜 인해 μΉ¨μž… 탐지 및 방지 μ‹œμŠ€ν…œ(IDS/IPS)을 μš°νšŒν•  수 μžˆλŠ” 잠재λ ₯을 μ œκ³΅ν•©λ‹ˆλ‹€. 이 κΈ°λŠ₯은 κ²€μ¦λ˜μ§€ μ•Šμ•˜μŠ΅λ‹ˆλ‹€. 일반 Metasploit Tomcat μ΅μŠ€ν”Œλ‘œμž‡μ„ `127.0.0.1:80`으둜 μ „μ†‘ν•˜λ©΄ λŒ€μƒ μ‹œμŠ€ν…œμ„ 효과적으둜 μž₯μ•…ν•  수 μžˆμŠ΅λ‹ˆλ‹€. ```bash msf exploit(tomcat_mgr_deploy) > show options ``` ## References * [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module) * [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
κ²½ν—˜μ΄ ν’λΆ€ν•œ 해컀 및 버그 λ°”μš΄ν‹° ν—Œν„°μ™€ μ†Œν†΅ν•˜κΈ° μœ„ν•΄ [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) μ„œλ²„μ— μ°Έμ—¬ν•˜μ„Έμš”! **Hacking Insights**\ ν•΄ν‚Ήμ˜ 슀릴과 도전에 λŒ€ν•΄ 깊이 μžˆλŠ” μ½˜ν…μΈ μ— μ°Έμ—¬ν•˜μ„Έμš”. **Real-Time Hack News**\ μ‹€μ‹œκ°„ λ‰΄μŠ€μ™€ 톡찰λ ₯을 톡해 λΉ λ₯΄κ²Œ λ³€ν™”ν•˜λŠ” ν•΄ν‚Ή 세계λ₯Ό μ΅œμ‹  μƒνƒœλ‘œ μœ μ§€ν•˜μ„Έμš”. **Latest Announcements**\ μƒˆλ‘œμš΄ 버그 λ°”μš΄ν‹° μΆœμ‹œ 및 μ€‘μš”ν•œ ν”Œλž«νΌ μ—…λ°μ΄νŠΈμ— λŒ€ν•œ 정보λ₯Ό μœ μ§€ν•˜μ„Έμš”. **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * [**ꡬ독 κ³„νš**](https://github.com/sponsors/carlospolop) ν™•μΈν•˜μ„Έμš”! * **πŸ’¬ [**Discord κ·Έλ£Ή**](https://discord.gg/hRep4RUj7f) λ˜λŠ” [**ν…”λ ˆκ·Έλž¨ κ·Έλ£Ή**](https://t.me/peass)에 μ°Έμ—¬ν•˜κ±°λ‚˜ **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**λ₯Ό νŒ”λ‘œμš°ν•˜μ„Έμš”.** * **[**HackTricks**](https://github.com/carlospolop/hacktricks) 및 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 리포지토리에 PR을 μ œμΆœν•˜μ—¬ ν•΄ν‚Ή νŠΈλ¦­μ„ κ³΅μœ ν•˜μ„Έμš”.**
{% endhint %}