Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking InsightsEngage with content that delves into the thrill and challenges of hacking
Real-Time Hack NewsKeep up-to-date with fast-paced hacking world through real-time news and insights
Latest AnnouncementsStay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Basic Information
From: https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/
AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
Also interesting:
The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles
Default port: 8009
PORT STATE SERVICE8009/tcp open ajp13
CVE-2020-1938 'Ghostcat'
CVE-2020-1938 'Ghostcat'
If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an exploit that works with this issue.
Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like WEB-INF/web.xml
which can leak important information like credentials for the Tomcat interface, depending on the server setup.
Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue.
Enumeration
Automatic
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
Brute force
Brute force
AJP Proxy
Nginx Reverse Proxy & AJP
Checkout the Dockerized version
When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the ajp_module
to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows:
Download the Nginx source code
Download the required module
Compile Nginx source code with the
ajp_module
.Create a configuration file pointing to the AJP Port
# Download Nginx codewget https://nginx.org/download/nginx-1.21.3.tar.gztar -xzvf nginx-1.21.3.tar.gz# Compile Nginx source code with the ajp modulegit clone https://github.com/dvershinin/nginx_ajp_module.gitcd nginx-1.21.3sudo apt install libpcre3-dev./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modulesmakesudo make installnginx -V
Comment out the entire server
block and append the following lines inside the http
block in /etc/nginx/conf/nginx.conf
.
upstream tomcats {server <TARGET_SERVER>:8009;keepalive 10;}server {listen 80;location / {ajp_keep_conn on;ajp_pass tomcats;}}
Start Nginx and check if everything is working correctly by issuing a cURL request to your local host.
sudo nginxcurl http://127.0.0.1:80<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8" /> <title>Apache Tomcat/X.X.XX</title> <link href="favicon.ico" rel="icon" type="image/x-icon" /> <link href="favicon.ico" rel="shortcut icon" type="image/x-icon" /> <link href="tomcat.css" rel="stylesheet" type="text/css" /> </headas <body> <div id="wrapper"> <div id="navigation" class="curved container"> <span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span> <span id="nav-hosts"><a href="/docs/">Documentation</a></span> <span id="nav-config"><a href="/docs/config/">Configuration</a></span> <span id="nav-examples"><a href="/examples/">Examples</a></span> <span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span> <span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span> <span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span> <br class="separator" /> </div> <div id="asf-box"> <h1>Apache Tomcat/X.X.XX</h1> </div> <div id="upper" class="curved container"> <div id="congrats" class="curved container"> <h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2><SNIP>
Nginx Dockerized-version
git clone https://github.com/ScribblerCoder/nginx-ajp-dockercd nginx-ajp-docker
Replace TARGET-IP
in nginx.conf
witg AJP IP then build and run
docker build . -t nginx-ajp-proxydocker run -it --rm -p 80:80 nginx-ajp-proxy
Apache AJP Proxy
Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using Metasploit. By leveraging Apache as a proxy, requests can be redirected to Tomcat on port 8009.
sudo apt-get install libapache2-mod-jksudo vim /etc/apache2/apache2.conf # append the following line to the config Include ajp.confsudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from localhost </Proxy> ProxyPass / ajp://HOST:8009/ ProxyPassReverse / ajp://HOST:8009/sudo a2enmod proxy_httpsudo a2enmod proxy_ajpsudo systemctl restart apache2
This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the AJP protocol's binary nature, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to 127.0.0.1:80
, you can effectively seize control of the targeted system.
msf exploit(tomcat_mgr_deploy) > show options
References
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking InsightsEngage with content that delves into the thrill and challenges of hacking
Real-Time Hack NewsKeep up-to-date with fast-paced hacking world through real-time news and insights
Latest AnnouncementsStay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.