8009 - Pentesting Apache JServ Protocol (AJP)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

From https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/

AJP ni itifaki ya waya. Ni toleo lililoboreshwa la itifaki ya HTTP ili kuruhusu seva ya wavuti huru kama Apache kuzungumza na Tomcat. Kihistoria, Apache imekuwa haraka zaidi kuliko Tomcat katika kuhudumia maudhui ya statiki. Wazo ni kumruhusu Apache kuhudumia maudhui ya statiki inapowezekana, lakini kupeleka ombi kwa Tomcat kwa maudhui yanayohusiana na Tomcat.

Pia ni ya kuvutia:

Itifaki ya ajp13 inaelekezwa kwenye pakiti. Muundo wa binary ulionekana kuchaguliwa badala ya maandiko rahisi yanayosomwa kwa sababu za utendaji. Seva ya wavuti inawasiliana na kontena la servlet kupitia muunganisho wa TCP. Ili kupunguza mchakato wa gharama kubwa wa uundaji wa socket, seva ya wavuti itajaribu kudumisha muunganisho wa TCP wa kudumu kwa kontena la servlet, na kutumia muunganisho mmoja kwa mizunguko kadhaa ya ombi/jibu.

Default port: 8009

PORT     STATE SERVICE
8009/tcp open  ajp13

CVE-2020-1938 'Ghostcat'

Hii ni LFI vuln ambayo inaruhusu kupata baadhi ya faili kama WEB-INF/web.xml ambayo ina taarifa za kuingia. Hii ni exploit ya kutumia udhaifu huo na bandari za AJP zilizofichuliwa zinaweza kuwa hatarini.

Toleo zilizorekebishwa ziko kwenye au juu ya 9.0.31, 8.5.51, na 7.0.100.

Enumeration

Automatic

nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

Brute force

AJP Proxy

Nginx Reverse Proxy + AJP

(Tazama toleo la Dockerized)

Inawezekana kuwasiliana na bandari ya AJP proxy iliyo wazi (8009 TCP) kwa kutumia moduli ya Nginx ajp_module ya apache na kufikia Tomat Manager kutoka bandari hii ambayo inaweza hatimaye kusababisha RCE katika seva iliyo hatarini.

Anza kupakua Nginx kutoka https://nginx.org/en/download.html na kisha uunde na moduli ya ajp:

# Compile Nginx with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-version
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V

Kisha, toa maoni kuhusu server block na ongeza yafuatayo katika http block katika /etc/nginx/conf/nginx.conf.

upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}

Hatimaye, anzisha nginx (sudo nginx) na hakikisha inafanya kazi kwa kufikia http://127.0.0.1

Nginx Dockerized-version

git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker

Replace TARGET-IP in nginx.conf na AJP IP kisha jenga na endesha

docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy

Apache AJP Proxy

Ni possible pia kutumia Apache AJP proxy kufikia bandari hiyo badala ya Nginx.

References

https://github.com/yaoweibin/nginx_ajp_module