Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

16 KiB

Raw Permalink Blame History

8009 - Pentesting Apache JServ Protocol (AJP)

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

From: https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/

AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.

Also interesting:

The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles

Default port: 8009

PORT     STATE SERVICE
8009/tcp open  ajp13

CVE-2020-1938 'Ghostcat'

If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an exploit that works with this issue.

Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like WEB-INF/web.xml which can leak important information like credentials for the Tomcat interface, depending on the server setup.

Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue.

Enumeration

Automatic

nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

Brute force

AJP Proxy

Nginx Reverse Proxy & AJP

Checkout the Dockerized version

When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the ajp_module to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows:

Download the Nginx source code
Download the required module
Compile Nginx source code with the ajp_module.
Create a configuration file pointing to the AJP Port

# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz

# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V

upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}

Qap Nginx 'ej check 'oH correctly by issuing a cURL request to your local host.

sudo nginx
curl http://127.0.0.1:80

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>

Nginx Dockerized-version

Description

Nginx is a popular web server and reverse proxy server. It is often used to serve static content, handle SSL/TLS termination, and load balance incoming traffic to backend servers. In this section, we will explore how to run Nginx in a Docker container.

Steps

Install Docker on your machine if you haven't already done so.
Create a new directory for your Nginx configuration files.
Inside the directory, create a new file called Dockerfile and open it in a text editor.
Add the following content to the Dockerfile:
```
FROM nginx:latest
COPY nginx.conf /etc/nginx/nginx.conf
COPY sites-available /etc/nginx/sites-available
COPY sites-enabled /etc/nginx/sites-enabled
```
This Dockerfile specifies that we want to use the latest version of the Nginx Docker image as our base image. It also copies our custom configuration files to the appropriate locations in the container.
Create a new file called nginx.conf and open it in a text editor.
Add your Nginx configuration to the nginx.conf file. This can include things like server blocks, SSL/TLS settings, and proxy configurations.
Create two new directories called sites-available and sites-enabled inside the Nginx configuration directory.
Place your site configuration files in the sites-available directory. These files should have a .conf extension.
Create symbolic links from the sites-available directory to the sites-enabled directory for each site configuration file. This can be done using the ln command.
Build the Docker image by running the following command in the terminal:
```
docker build -t my-nginx .
```
This command tells Docker to build an image using the Dockerfile in the current directory and tag it with the name my-nginx.
Run a container using the newly created image by running the following command:
```
docker run -d -p 80:80 my-nginx
```
This command starts a new container based on the my-nginx image and maps port 80 of the container to port 80 of the host machine.
Test your Nginx server by opening a web browser and navigating to http://localhost. You should see the default Nginx welcome page.

Conclusion

Running Nginx in a Docker container provides a convenient and portable way to deploy and manage your web server. By following the steps outlined in this section, you can easily create a Dockerized version of Nginx with your custom configuration.

git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker

Replace TARGET-IP in nginx.conf with AJP IP then build and run

docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy

Apache AJP Proxy

Metasploit jatlh port 8009 vItlhutlh. Apache proxy vaj Tomcat port 8009 vIleghlaHbe'.

sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass       / ajp://HOST:8009/
ProxyPassReverse    / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2

AJP protokol's binary nature jupwI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'wI'pu'

msf  exploit(tomcat_mgr_deploy) > show options

References