https://github.com/doyensec/ajpfuzzer

A command-line fuzzer for the Apache JServ Protocol (ajp13)
https://github.com/doyensec/ajpfuzzer

ajp ajp13 fuzzer security

Last synced: about 1 month ago
JSON representation

A command-line fuzzer for the Apache JServ Protocol (ajp13)

• Host: GitHub
• URL: https://github.com/doyensec/ajpfuzzer
• Owner: doyensec
• Created: 2017-02-23T14:40:30.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2022-11-15T12:28:26.000Z (almost 2 years ago)
• Last Synced: 2024-05-13T20:33:49.864Z (4 months ago)
• Topics: ajp, ajp13, fuzzer, security
• Language: Java
• Size: 36.1 KB
• Stars: 92
• Watchers: 9
• Forks: 18
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - doyensec/ajpfuzzer - A command-line fuzzer for the Apache JServ Protocol (ajp13) (Java)

README

        
# AJPFuzzer - A command-line fuzzer for AJPv1.3

**AJPFuzzer** is a rudimental fuzzer for the [Apache JServ Protocol](https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html) (ajp13). 

Built on top of [libajp13](https://github.com/doyensec/libajp13), the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

### How To Use it

1. Download the latest AJPFuzzer jar from the [releases page](https://github.com/doyensec/ajpfuzzer/releases)

2. Execute the downloaded jar using:

        $ java -jar ajpfuzzer_v0.7.jar

3. The tool will prompt a shell. By typing *?list*, it is possible to list all available commands. At this point, you can connect to the target using:

        AJPFuzzer> connect 127.0.0.1 8009

4. Then, you can send a *CPing* message (type 10) by simply typing '10' (no arguments are needed for this message)

        AJPFuzzer/127.0.0.1:8009> 10

The following screenshot illustrates the entire execution:

![CPing message using AJPFuzzer](http://i.imgur.com/22lHxX3.png)

Obviously, it is possible to send more complex messages by specifying the appropriate test case and arguments. Please refer to *?list * for all details on a specific command.

For example, we can send a fully customized *ForwardRequest* type message using:

```

> forwardrequest 2 "HTTP/1.1" "/api/" 127.0.0.1 localhost porto 8009 false "Cookie:AAAA=BBBB" ""

```

It's also possible to send a *ForwardRequest* message fuzzing arbitrary elements:

```

> genericfuzz 2 "HTTP/1.1" "/test.html" "127.0.0.1" "127.0.0.1" "server.name.test" 8009 false "Cookie:AAAA=BBBB" "secret:FUZZ" /tmp/list.txt

```

![ForwardRequest message using AJPFuzzer](http://i.imgur.com/5j5JYre.png)

### Available test cases and further customization.

As of today, AJPFuzzer provides the following test cases:

Id | Name                | Description

--- |---------------------| ---

1 | body                | Send a body message from the web server to the J2EE container

2 | forwardrequest      | Begin the request processing cycle from the web server to the J2EE container

3 | sendbodychunk       | Send a chunk of the body from the J2EE container to the web server

4 | sendheaders         | Send the response headers from the J2EE container to the web server

5 | endresponse         | Mark the end of the response, from the J2EE container to the web server

6 | getbodychunk        | Get further data from the requestor. Message from the J2EE container to the web server

7 | shutdown            | Send a standard shutdown AJP13 packet

8 | ping                | Send a ping (ping != CPing) AJP13 packet

9 | cpong               | Send a CPong AJP13 packet

10 | cping               | Send a CPing AJP13 packet

11 | forwardreqalltypes  | Send a ForwardRequest AJP13 packet, with all possible packet types

12 | verbtampering       | Send multiple requests via AJP13 and do HTTP Verb Tampering, to detect potential authentication bypass flaws

13 | jettyleak           | Send a JettyLeak style AJP13 packet

14 | hugelengthsmallbody | Send ForwardRequest+Body messages, with a big Content-Length and small Body

15 | hugeheader          | Send two AJP13 ForwardRequest packets with header length greater than 0x9999 (e.g. A010)

16 | fuzzbit             | Create a complex AJP13 ForwardRequest and start bit flipping

17 | fuzzslice           | Create an AJP13 ForwardRequest, SendHeaders, ShutDown, 0xFF, 0x00. Slice and send.

18 | servletpath         | Create an AJP13 ForwardRequest with arbitrary 'servlet_path' attribute

19 | bypassauthnull      | Create two AJP13 ForwardRequest with auth_type set to 'null'

20 | envars              | Create an AJP13 ForwardRequest with req_attribute_code (10) in order to set arbitrary environmental variables

21 | hugepacketsize      | Create two AJP13 requests with size > 8192 bytes

22 | genericfuzz             | Create an AJP13 ForwardRequest (GET) that allows fuzzing arbitrary message elements using the `FUZZ` keyword

New test cases can be added by extending the [AJPTestCases.java](https://github.com/doyensec/ajpfuzzer/blob/master/src/com/doyensec/ajpfuzzer/AJPTestCases.java) class. Using the *@Command* annotation, the tool will recognize the additional command and make it available from the CLI.