From 86061153e93589de1ba54fff5bdfaf6886df02ca Mon Sep 17 00:00:00 2001 From: Christopher Pritchard Date: Tue, 27 Apr 2021 16:58:23 +1200 Subject: [PATCH] Update 8009-pentesting-apache-jserv-protocol-ajp.md Added information about Ghostcat, which I ran into on a recent CTF box. --- pentesting/8009-pentesting-apache-jserv-protocol-ajp.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index 9a2a223c..5570f7bf 100644 --- a/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -17,6 +17,14 @@ PORT STATE SERVICE 8009/tcp open ajp13 ``` +## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat) + +If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue. + +Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like `WEB-INF/web.xml` which can leak important information like credentials for the Tomcat interface, depending on the server setup. + +Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue. + ## Apache AJP Proxy It’s not often that you encounter port 8009 open and port 8080,8180,8443 or 80 closed but it happens. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can \(ab\)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that \(read it first\), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary.