Skip to content

Commit

Permalink
GITBOOK-4444: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Dec 12, 2024
1 parent b3ead69 commit ae33d7c
Show file tree
Hide file tree
Showing 12 changed files with 183 additions and 350 deletions.
2 changes: 1 addition & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -430,7 +430,7 @@
* [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
* [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
* [Symfony](network-services-pentesting/pentesting-web/symphony.md)
* [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
* [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
* [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
* [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
* [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Stay informed with the newest bug bounties launching and crucial platform update

## Basic Information

From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
From [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)

> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
Expand All @@ -49,11 +49,9 @@ PORT STATE SERVICE

## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)

If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue.
This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it.

Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like `WEB-INF/web.xml` which can leak important information like credentials for the Tomcat interface, depending on the server setup.

Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue.
The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100.

## Enumeration

Expand All @@ -67,35 +65,28 @@ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

## AJP Proxy

### Nginx Reverse Proxy & AJP
### Nginx Reverse Proxy + AJP

[Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)
([Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version))

When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the `ajp_module` to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows:
It's possible to communicate with an open AJP proxy port (8009 TCP) by using the Nginx `ajp_module` apache module and access the Tomat Manager from this port which could ultimately lead to RCE in the vulnerable server.

* Download the Nginx source code
* Download the required module
* Compile Nginx source code with the `ajp_module`.
* Create a configuration file pointing to the AJP Port
* Start downloading Nginx from [https://nginx.org/en/download.html](https://nginx.org/en/download.html) and then compile it with the ajp module:

```bash
# Download Nginx code
wget https://nginx.org/download/nginx-1.21.3.tar.gz
tar -xzvf nginx-1.21.3.tar.gz

# Compile Nginx source code with the ajp module
# Compile Nginx with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
cd nginx-version
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
```

Comment out the entire `server` block and append the following lines inside the `http` block in `/etc/nginx/conf/nginx.conf`.
* Then, comment the `server` block and add the following in the `http` block in `/etc/nginx/conf/nginx.conf`.

```shell-session
```json
upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
Expand All @@ -109,41 +100,7 @@ server {
}
```

Start Nginx and check if everything is working correctly by issuing a cURL request to your local host.

```html
sudo nginx
curl http://127.0.0.1:80

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</headas
<body>
<div id="wrapper">
<div id="navigation" class="curved container">
<span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
<span id="nav-hosts"><a href="/docs/">Documentation</a></span>
<span id="nav-config"><a href="/docs/config/">Configuration</a></span>
<span id="nav-examples"><a href="/examples/">Examples</a></span>
<span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
<span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
<span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
<br class="separator" />
</div>
<div id="asf-box">
<h1>Apache Tomcat/X.X.XX</h1>
</div>
<div id="upper" class="curved container">
<div id="congrats" class="curved container">
<h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
<SNIP>
```
* Finally, start nginx (`sudo nginx`) and check it works by accessing `http://127.0.0.1`

### Nginx Dockerized-version

Expand All @@ -161,36 +118,11 @@ docker run -it --rm -p 80:80 nginx-ajp-proxy

### Apache AJP Proxy

Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using **Metasploit**. By leveraging **Apache** as a proxy, requests can be redirected to **Tomcat** on port 8009.

```bash
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
ProxyPass / ajp://HOST:8009/
ProxyPassReverse / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
```

This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the **AJP protocol's binary nature**, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to `127.0.0.1:80`, you can effectively seize control of the targeted system.

```bash
msf exploit(tomcat_mgr_deploy) > show options
```
It's also possible to use an **Apache AJP proxy** to access that port instead of **Nginx**.

## References

* [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx_ajp_module)
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)

<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>

Expand Down
Loading

0 comments on commit ae33d7c

Please sign in to comment.