hacktricks/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md

8009 - Pentesting Apache JServ Protocol (AJP)

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

From: https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/

AJP ni itifaki ya waya. Ni toleo lililoboreshwa la itifaki ya HTTP ili kuruhusu seva ya wavuti huru kama Apache kuzungumza na Tomcat. Kihistoria, Apache imekuwa haraka zaidi kuliko Tomcat katika kuhudumia maudhui ya statiki. Wazo ni kumruhusu Apache kuhudumia maudhui ya statiki inapowezekana, lakini kupeleka ombi kwa Tomcat kwa maudhui yanayohusiana na Tomcat.

Pia ni ya kuvutia:

Itifaki ya ajp13 inaelekezwa kwenye pakiti. Muundo wa binary ulionekana kuchaguliwa badala ya maandiko rahisi yanayosomwa kwa sababu za utendaji. Seva ya wavuti inawasiliana na kontena la servlet kupitia muunganisho wa TCP. Ili kupunguza mchakato ghali wa uundaji wa socket, seva ya wavuti itajaribu kudumisha muunganisho wa TCP wa kudumu kwa kontena la servlet, na kutumia muunganisho mmoja kwa mizunguko kadhaa ya ombi/jibu.

Default port: 8009

PORT     STATE SERVICE
8009/tcp open  ajp13

CVE-2020-1938 'Ghostcat'

Ikiwa bandari ya AJP imewekwa wazi, Tomcat inaweza kuwa hatarini kwa udhaifu wa Ghostcat. Hapa kuna exploit inayofanya kazi na tatizo hili.

Ghostcat ni udhaifu wa LFI, lakini kwa namna fulani umewekwa mipaka: faili tu kutoka kwenye njia fulani zinaweza kuvutwa. Hata hivyo, hii inaweza kujumuisha faili kama WEB-INF/web.xml ambazo zinaweza kuvuja taarifa muhimu kama vile akidi za kiingilio kwa interface ya Tomcat, kulingana na usanidi wa seva.

Toleo zilizorekebishwa katika au juu ya 9.0.31, 8.5.51, na 7.0.100 zimefanya marekebisho ya tatizo hili.

Enumeration

Automatic

nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

Brute force

AJP Proxy

Nginx Reverse Proxy & AJP

Checkout the Dockerized version

Wakati tunakutana na bandari ya AJP proxy iliyo wazi (8009 TCP), tunaweza kutumia Nginx na ajp_module kufikia "meneja" wa Tomcat uliofichwa. Hii inaweza kufanywa kwa kukusanya msimbo wa chanzo wa Nginx na kuongeza moduli inayohitajika, kama ifuatavyo:

• Pakua msimbo wa chanzo wa Nginx
• Pakua moduli inayohitajika
• Kusanya msimbo wa chanzo wa Nginx na ajp_module.
• Unda faili ya usanidi inayotaja AJP Port

# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz

# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V

Comment out the entire server block and append the following lines inside the http block in /etc/nginx/conf/nginx.conf.

upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}

Anza Nginx na uangalie kama kila kitu kinafanya kazi vizuri kwa kutoa ombi la cURL kwa mwenyeji wako wa ndani.

sudo nginx
curl http://127.0.0.1:80

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>

Nginx toleo la Docker

git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker

Replace TARGET-IP in nginx.conf na AJP IP kisha jenga na endesha

docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy

Apache AJP Proxy

Kukutana na bandari wazi 8009 bila bandari nyingine za wavuti zinazopatikana ni nadra. Hata hivyo, bado inawezekana kuitumia kwa kutumia Metasploit. Kwa kutumia Apache kama proxy, maombi yanaweza kuelekezwa kwa Tomcat kwenye bandari 8009.

sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass       / ajp://HOST:8009/
ProxyPassReverse    / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2

Hii mipangilio inatoa uwezo wa kupita mifumo ya kugundua na kuzuia uvamizi (IDS/IPS) kutokana na asili ya binary ya protokali ya AJP, ingawa uwezo huu haujathibitishwa. Kwa kuelekeza uvamizi wa kawaida wa Metasploit Tomcat kwa 127.0.0.1:80, unaweza kwa ufanisi kuchukua udhibiti wa mfumo ulengwa.

msf  exploit(tomcat_mgr_deploy) > show options

References

• https://github.com/yaoweibin/nginx_ajp_module
• https://academy.hackthebox.com/module/145/section/1295

Jiunge na HackenProof Discord server kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

Hacking Insights
Shiriki na maudhui yanayochunguza msisimko na changamoto za hacking

Real-Time Hack News
Baki na habari za hivi punde katika ulimwengu wa hacking kupitia habari na maarifa ya wakati halisi

Latest Announcements
Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na uanze kushirikiana na hackers bora leo!

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hila za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

{% endhint %}