Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md

205 lines
9.6 KiB
Markdown
Raw Blame History

# 8009 - Pentesting Apache JServ Protocol (AJP)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## Basic Information
From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
> AJP ni itifaki ya waya. Ni toleo lililoboreshwa la itifaki ya HTTP ili kuruhusu seva ya wavuti huru kama [Apache](http://httpd.apache.org/) kuzungumza na Tomcat. Kihistoria, Apache imekuwa haraka zaidi kuliko Tomcat katika kuhudumia maudhui ya statiki. Wazo ni kumruhusu Apache kuhudumia maudhui ya statiki inapowezekana, lakini kupeleka ombi kwa Tomcat kwa maudhui yanayohusiana na Tomcat.
Pia ni ya kuvutia:
> Itifaki ya ajp13 inaelekezwa kwenye pakiti. Muundo wa binary ulionekana kuchaguliwa badala ya maandiko rahisi yanayosomwa kwa sababu za utendaji. Seva ya wavuti inawasiliana na kontena la servlet kupitia muunganisho wa TCP. Ili kupunguza mchakato ghali wa uundaji wa socket, seva ya wavuti itajaribu kudumisha muunganisho wa TCP wa kudumu kwa kontena la servlet, na kutumia muunganisho mmoja kwa mizunguko kadhaa ya ombi/jibu.
**Default port:** 8009
```
PORT STATE SERVICE
8009/tcp open ajp13
```
## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
Ikiwa bandari ya AJP imewekwa wazi, Tomcat inaweza kuwa hatarini kwa udhaifu wa Ghostcat. Hapa kuna [exploit](https://www.exploit-db.com/exploits/48143) inayofanya kazi na tatizo hili.
Ghostcat ni udhaifu wa LFI, lakini kwa namna fulani umewekwa mipaka: faili tu kutoka kwenye njia fulani zinaweza kuvutwa. Hata hivyo, hii inaweza kujumuisha faili kama `WEB-INF/web.xml` ambazo zinaweza kuvuja taarifa muhimu kama vile akidi za kiingilio kwa interface ya Tomcat, kulingana na usanidi wa seva.
Toleo zilizorekebishwa katika au juu ya 9.0.31, 8.5.51, na 7.0.100 zimefanya marekebisho ya tatizo hili.
## Enumeration
### Automatic
```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
```
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#ajp)
## AJP Proxy
### Nginx Reverse Proxy & AJP
[Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)
Wakati tunakutana na bandari ya AJP proxy iliyo wazi (8009 TCP), tunaweza kutumia Nginx na `ajp_module` kufikia "meneja" wa Tomcat uliofichwa. Hii inaweza kufanywa kwa kukusanya msimbo wa chanzo wa Nginx na kuongeza moduli inayohitajika, kama ifuatavyo:
* Pakua msimbo wa chanzo wa Nginx
* Pakua moduli inayohitajika
* Kusanya msimbo wa chanzo wa Nginx na `ajp_module`.
* Unda faili ya usanidi inayotaja AJP Port
```bash
# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz
# Compile Nginx source code with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
```
Comment out the entire `server` block and append the following lines inside the `http` block in `/etc/nginx/conf/nginx.conf`.
```shell-session
upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}
```
Anza Nginx na uangalie kama kila kitu kinafanya kazi vizuri kwa kutoa ombi la cURL kwa mwenyeji wako wa ndani.
```html
sudo nginx
curl http://127.0.0.1:80
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>
```
### Nginx toleo la Docker
```bash
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker
```
Replace `TARGET-IP` in `nginx.conf` na AJP IP kisha jenga na endesha
```bash
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy
```
### Apache AJP Proxy
Kukutana na bandari wazi 8009 bila bandari nyingine za wavuti zinazopatikana ni nadra. Hata hivyo, bado inawezekana kuitumia kwa kutumia **Metasploit**. Kwa kutumia **Apache** kama proxy, maombi yanaweza kuelekezwa kwa **Tomcat** kwenye bandari 8009.
```bash
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://HOST:8009/
ProxyPassReverse / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
```
Hii mipangilio inatoa uwezo wa kupita mifumo ya kugundua na kuzuia uvamizi (IDS/IPS) kutokana na **asili ya binary ya protokali ya AJP**, ingawa uwezo huu haujathibitishwa. Kwa kuelekeza uvamizi wa kawaida wa Metasploit Tomcat kwa `127.0.0.1:80`, unaweza kwa ufanisi kuchukua udhibiti wa mfumo ulengwa.
```bash
msf exploit(tomcat_mgr_deploy) > show options
```
## References
* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx\_ajp\_module)
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!
**Hacking Insights**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za hacking
**Real-Time Hack News**\
Baki na habari za hivi punde katika ulimwengu wa hacking kupitia habari na maarifa ya wakati halisi
**Latest Announcements**\
Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo!
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink