Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/doyensec/ajpfuzzer
A command-line fuzzer for the Apache JServ Protocol (ajp13)
https://github.com/doyensec/ajpfuzzer
ajp ajp13 fuzzer security
Last synced: about 1 month ago
JSON representation
A command-line fuzzer for the Apache JServ Protocol (ajp13)
- Host: GitHub
- URL: https://github.com/doyensec/ajpfuzzer
- Owner: doyensec
- Created: 2017-02-23T14:40:30.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2022-11-15T12:28:26.000Z (about 2 years ago)
- Last Synced: 2024-08-05T17:37:06.966Z (4 months ago)
- Topics: ajp, ajp13, fuzzer, security
- Language: Java
- Size: 36.1 KB
- Stars: 92
- Watchers: 9
- Forks: 18
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - doyensec/ajpfuzzer - A command-line fuzzer for the Apache JServ Protocol (ajp13) (Java)
README
# AJPFuzzer - A command-line fuzzer for AJPv1.3
**AJPFuzzer** is a rudimental fuzzer for the [Apache JServ Protocol](https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html) (ajp13).
Built on top of [libajp13](https://github.com/doyensec/libajp13), the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.
### How To Use it1. Download the latest AJPFuzzer jar from the [releases page](https://github.com/doyensec/ajpfuzzer/releases)
2. Execute the downloaded jar using:$ java -jar ajpfuzzer_v0.7.jar
3. The tool will prompt a shell. By typing *?list*, it is possible to list all available commands. At this point, you can connect to the target using:
AJPFuzzer> connect 127.0.0.1 8009
4. Then, you can send a *CPing* message (type 10) by simply typing '10' (no arguments are needed for this message)
AJPFuzzer/127.0.0.1:8009> 10
The following screenshot illustrates the entire execution:
![CPing message using AJPFuzzer](http://i.imgur.com/22lHxX3.png)
Obviously, it is possible to send more complex messages by specifying the appropriate test case and arguments. Please refer to *?list * for all details on a specific command.
For example, we can send a fully customized *ForwardRequest* type message using:
```
> forwardrequest 2 "HTTP/1.1" "/api/" 127.0.0.1 localhost porto 8009 false "Cookie:AAAA=BBBB" ""
```It's also possible to send a *ForwardRequest* message fuzzing arbitrary elements:
```
> genericfuzz 2 "HTTP/1.1" "/test.html" "127.0.0.1" "127.0.0.1" "server.name.test" 8009 false "Cookie:AAAA=BBBB" "secret:FUZZ" /tmp/list.txt
```![ForwardRequest message using AJPFuzzer](http://i.imgur.com/5j5JYre.png)
### Available test cases and further customization.
As of today, AJPFuzzer provides the following test cases:
Id | Name | Description
--- |---------------------| ---
1 | body | Send a body message from the web server to the J2EE container
2 | forwardrequest | Begin the request processing cycle from the web server to the J2EE container
3 | sendbodychunk | Send a chunk of the body from the J2EE container to the web server
4 | sendheaders | Send the response headers from the J2EE container to the web server
5 | endresponse | Mark the end of the response, from the J2EE container to the web server
6 | getbodychunk | Get further data from the requestor. Message from the J2EE container to the web server
7 | shutdown | Send a standard shutdown AJP13 packet
8 | ping | Send a ping (ping != CPing) AJP13 packet
9 | cpong | Send a CPong AJP13 packet
10 | cping | Send a CPing AJP13 packet
11 | forwardreqalltypes | Send a ForwardRequest AJP13 packet, with all possible packet types
12 | verbtampering | Send multiple requests via AJP13 and do HTTP Verb Tampering, to detect potential authentication bypass flaws
13 | jettyleak | Send a JettyLeak style AJP13 packet
14 | hugelengthsmallbody | Send ForwardRequest+Body messages, with a big Content-Length and small Body
15 | hugeheader | Send two AJP13 ForwardRequest packets with header length greater than 0x9999 (e.g. A010)
16 | fuzzbit | Create a complex AJP13 ForwardRequest and start bit flipping
17 | fuzzslice | Create an AJP13 ForwardRequest, SendHeaders, ShutDown, 0xFF, 0x00. Slice and send.
18 | servletpath | Create an AJP13 ForwardRequest with arbitrary 'servlet_path' attribute
19 | bypassauthnull | Create two AJP13 ForwardRequest with auth_type set to 'null'
20 | envars | Create an AJP13 ForwardRequest with req_attribute_code (10) in order to set arbitrary environmental variables
21 | hugepacketsize | Create two AJP13 requests with size > 8192 bytes
22 | genericfuzz | Create an AJP13 ForwardRequest (GET) that allows fuzzing arbitrary message elements using the `FUZZ` keywordNew test cases can be added by extending the [AJPTestCases.java](https://github.com/doyensec/ajpfuzzer/blob/master/src/com/doyensec/ajpfuzzer/AJPTestCases.java) class. Using the *@Command* annotation, the tool will recognize the additional command and make it available from the CLI.