mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 14:40:37 +00:00
205 lines
9.6 KiB
Markdown
205 lines
9.6 KiB
Markdown
# 8009 - Pentesting Apache JServ Protocol (AJP)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
|
|
|
**Hacking Insights**\
|
|
Engage with content that delves into the thrill and challenges of hacking
|
|
|
|
**Real-Time Hack News**\
|
|
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
|
|
|
**Latest Announcements**\
|
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
|
|
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
|
|
|
## Basic Information
|
|
|
|
From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
|
|
|
|
> AJP je protokol za prenos podataka. To je optimizovana verzija HTTP protokola koja omogućava samostalnom web serveru kao što je [Apache](http://httpd.apache.org/) da komunicira sa Tomcat-om. Istorijski gledano, Apache je bio mnogo brži od Tomcat-a u posluženju statičkog sadržaja. Ideja je da se Apache koristi za posluživanje statičkog sadržaja kada je to moguće, ali da se zahtev prosledi Tomcat-u za sadržaj vezan za Tomcat.
|
|
|
|
Takođe zanimljivo:
|
|
|
|
> AJP13 protokol je orijentisan na pakete. Binarni format je verovatno izabran umesto čitljivijeg običnog teksta iz razloga performansi. Web server komunicira sa servlet kontejnerom preko TCP veza. Da bi se smanjio skupi proces kreiranja soketa, web server će pokušati da održava trajne TCP veze sa servlet kontejnerom i da ponovo koristi vezu za više ciklusa zahtev/odgovor.
|
|
|
|
**Default port:** 8009
|
|
```
|
|
PORT STATE SERVICE
|
|
8009/tcp open ajp13
|
|
```
|
|
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
|
|
|
|
Ako je AJP port izložen, Tomcat može biti podložan Ghostcat ranjivosti. Ovde je [eksploit](https://www.exploit-db.com/exploits/48143) koji funkcioniše sa ovim problemom.
|
|
|
|
Ghostcat je LFI ranjivost, ali donekle ograničena: samo datoteke iz određenog puta mogu biti preuzete. Ipak, to može uključivati datoteke kao što su `WEB-INF/web.xml` koje mogu otkriti važne informacije kao što su akreditivi za Tomcat interfejs, u zavisnosti od podešavanja servera.
|
|
|
|
Ispravljene verzije 9.0.31 i više, 8.5.51 i 7.0.100 su rešile ovaj problem.
|
|
|
|
## Enumeration
|
|
|
|
### Automatic
|
|
```bash
|
|
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
|
|
```
|
|
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#ajp)
|
|
|
|
## AJP Proxy
|
|
|
|
### Nginx Reverse Proxy & AJP
|
|
|
|
[Proverite Dockerizovanu verziju](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)
|
|
|
|
Kada naiđemo na otvoren AJP proxy port (8009 TCP), možemo koristiti Nginx sa `ajp_module` za pristup "skrivenom" Tomcat Manager-u. Ovo se može uraditi kompajliranjem Nginx izvornog koda i dodavanjem potrebnog modula, na sledeći način:
|
|
|
|
* Preuzmite Nginx izvorni kod
|
|
* Preuzmite potrebni modul
|
|
* Kompajlirajte Nginx izvorni kod sa `ajp_module`.
|
|
* Kreirajte konfiguracioni fajl koji pokazuje na AJP Port
|
|
```bash
|
|
# Download Nginx code
|
|
wget https://nginx.org/download/nginx-1.21.3.tar.gz
|
|
tar -xzvf nginx-1.21.3.tar.gz
|
|
|
|
# Compile Nginx source code with the ajp module
|
|
git clone https://github.com/dvershinin/nginx_ajp_module.git
|
|
cd nginx-1.21.3
|
|
sudo apt install libpcre3-dev
|
|
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
|
|
make
|
|
sudo make install
|
|
nginx -V
|
|
```
|
|
Komentarišite ceo `server` blok i dodajte sledeće linije unutar `http` bloka u `/etc/nginx/conf/nginx.conf`.
|
|
```shell-session
|
|
upstream tomcats {
|
|
server <TARGET_SERVER>:8009;
|
|
keepalive 10;
|
|
}
|
|
server {
|
|
listen 80;
|
|
location / {
|
|
ajp_keep_conn on;
|
|
ajp_pass tomcats;
|
|
}
|
|
}
|
|
```
|
|
Pokrenite Nginx i proverite da li sve funkcioniše ispravno tako što ćete poslati cURL zahtev na vaš lokalni host.
|
|
```html
|
|
sudo nginx
|
|
curl http://127.0.0.1:80
|
|
|
|
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<title>Apache Tomcat/X.X.XX</title>
|
|
<link href="favicon.ico" rel="icon" type="image/x-icon" />
|
|
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
|
|
<link href="tomcat.css" rel="stylesheet" type="text/css" />
|
|
</headas
|
|
<body>
|
|
<div id="wrapper">
|
|
<div id="navigation" class="curved container">
|
|
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
|
|
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
|
|
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
|
|
<span id="nav-examples"><a href="/examples/">Examples</a></span>
|
|
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
|
|
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
|
|
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
|
|
<br class="separator" />
|
|
</div>
|
|
<div id="asf-box">
|
|
<h1>Apache Tomcat/X.X.XX</h1>
|
|
</div>
|
|
<div id="upper" class="curved container">
|
|
<div id="congrats" class="curved container">
|
|
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
|
|
<SNIP>
|
|
```
|
|
### Nginx Dockerizovana verzija
|
|
```bash
|
|
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
|
|
cd nginx-ajp-docker
|
|
```
|
|
Zamenite `TARGET-IP` u `nginx.conf` sa AJP IP, a zatim izgradite i pokrenite.
|
|
```bash
|
|
docker build . -t nginx-ajp-proxy
|
|
docker run -it --rm -p 80:80 nginx-ajp-proxy
|
|
```
|
|
### Apache AJP Proxy
|
|
|
|
Susret sa otvorenim portom 8009 bez drugih dostupnih web portova je retkost. Ipak, moguće je iskoristiti ga koristeći **Metasploit**. Korišćenjem **Apache** kao proksija, zahtevi se mogu preusmeriti na **Tomcat** na portu 8009.
|
|
```bash
|
|
sudo apt-get install libapache2-mod-jk
|
|
sudo vim /etc/apache2/apache2.conf # append the following line to the config
|
|
Include ajp.conf
|
|
sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address
|
|
ProxyRequests Off
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Deny from all
|
|
Allow from localhost
|
|
</Proxy>
|
|
ProxyPass / ajp://HOST:8009/
|
|
ProxyPassReverse / ajp://HOST:8009/
|
|
sudo a2enmod proxy_http
|
|
sudo a2enmod proxy_ajp
|
|
sudo systemctl restart apache2
|
|
```
|
|
Ova postavka nudi potencijal za zaobilaženje sistema za detekciju i prevenciju upada (IDS/IPS) zbog **binarne prirode AJP protokola**, iako ova sposobnost nije verifikovana. Usmeravanjem redovnog Metasploit Tomcat eksploita na `127.0.0.1:80`, možete efikasno preuzeti kontrolu nad ciljnim sistemom.
|
|
```bash
|
|
msf exploit(tomcat_mgr_deploy) > show options
|
|
```
|
|
## Reference
|
|
|
|
* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module)
|
|
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
|
|
|
|
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Pridružite se [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) serveru da komunicirate sa iskusnim hakerima i lovcima na greške!
|
|
|
|
**Hacking Insights**\
|
|
Uključite se u sadržaj koji istražuje uzbuđenje i izazove hakovanja
|
|
|
|
**Real-Time Hack News**\
|
|
Budite u toku sa brzim svetom hakovanja kroz vesti i uvide u realnom vremenu
|
|
|
|
**Latest Announcements**\
|
|
Budite informisani o najnovijim nagradama za greške i važnim ažuriranjima platforme
|
|
|
|
**Pridružite nam se na** [**Discord**](https://discord.com/invite/N3FrSbmwdy) i počnite da sarađujete sa vrhunskim hakerima danas!
|
|
|
|
{% hint style="success" %}
|
|
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Podrška HackTricks</summary>
|
|
|
|
* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
|
|
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
|
|
|
|
</details>
|
|
{% endhint %}
|