hypn0s / ajpy Goto Github PK
View Code? Open in Web Editor NEWLicense: BSD 3-Clause "New" or "Revised" License
License: BSD 3-Clause "New" or "Revised" License
Uploading large WAR files does not work.
Tomcat error:
sept. 22, 2017 4:43:23 PM org.apache.coyote.ajp.AjpMessage processHeader
GRAVE: Invalid message received with signature 17439
sept. 22, 2017 4:43:23 PM org.apache.coyote.ajp.AjpMessage processHeader
GRAVE: Invalid message received with signature 11565
Test file: https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/browser.jsp
Reading file using CVE-2020-1938
$ python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 172.17.0.2
--webapp=manager
is not always the case, it might just be omitted.
Hello, author. I found that you have a problem when the matching version, in the regular match out, I do not know whether your space is intentional or unintentional, through my practice encountered the version does not match the problem, has now been removed fixed.
Hey,
First of, great job.
Could you consider create a pip
package (and publish it to Pypi) for your library so it can be reused in other tool ? I'm mostly thinking of patator
, for which it would not take a lot of effort to integrate and add AJP support.
Cheers
/AJPy/ajpy/ajp.py
kali2020.4
python 2.7.18
def unpack(stream, fmt): print stream, fmt size = struct.calcsize(fmt) print size buf = stream.read(size) print buf if "" in buf: print "error" return struct.unpack(fmt, buf)
`<socket._fileobject object at 0x7f4b45690ad0> >HHb
5
error
Traceback (most recent call last):
File "tomcat.py", line 378, in
hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
File "tomcat.py", line 154, in perform_request
responses = self.forward_request.send_and_receive(self.socket, self.stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 279, in send_and_receive
r = AjpResponse.receive(stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 385, in receive
r.parse(stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 342, in parse
self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 50, in unpack
return struct.unpack(fmt, buf)
struct.error: unpack requires a string argument of length 5
`
Hello, I have some questions for you.
first:
if I want to read file in ROOT, what should I do?
for example:
a file is D:\ALL\javaidea\apache-tomcat-8.5.50-src\source\webapps\test.txt
Can I read this? I tried a lot, but I couldn't solve it.:(
second: Can I read it in springboot?
also, I tried a lot, but I couldn't solve it.:(
Please could you add a requirements.txt.
Getting this error anytime I try to run this tool.
Hey there!
I ran across this lib while looking for ways to check for the recent "Ghostcat" CVE. When trying to use the code (both as a lib and using the standalone tomcat.py
script) to check for the vuln on a testing host, I encounter timeouts when waiting on a socket. Here's the stacktrace I get when running tomcat.py
.
sh-3.2# python tomcat.py version <VULNERABLE HOSTNAME>
Apache Tomcat/8.5.32
sh-3.2# python tomcat.py read_file --webapp=manager /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
File "tomcat.py", line 377, in <module>
hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
File "tomcat.py", line 153, in perform_request
responses = self.forward_request.send_and_receive(self.socket, self.stream)
File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
r = AjpResponse.receive(stream)
File "/.../AJPy/ajpy/ajp.py", line 380, in receive
r.parse(stream)
File "/.../AJPy/ajpy/ajp.py", line 337, in parse
self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
buf = stream.read(size)
File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out
As you can see, I can get the server version correctly from the first call, so there's no issue with connectivity to the host. I'm on MacOS using Python version 3.7.6 (installed via homebrew
). Any insight into what's up would be helpful.
I use is only one time, the target host is down and can't do anything
socket.error: [Errno 10054]
the host rerjects my connection?
what code triggers it
this is the command i run in the powershell:
python tomcat.py upload -u admin -p admin Linuxx.war 192.168.0.103
Traceback (most recent call last):
File "tomcat.py", line 366, in
bf.upload(args.filename, args.user, args.password, args.old_version, args.headers)
File "tomcat.py", line 177, in upload
deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
TypeError: 'NoneType' object is not iterable
Add the support for the POST method in order to upload webshell WAR through Tomcat manager.
Currently, the WAR upload fails with the following error:
FAIL - Invalid context path null was specified
Looking in the method send_and_receive() in AjpForwardRequest there are the lines:
res = []
i = socket.sendall(self.serialize())
if self.method == AjpForwardRequest.POST:
return res
Is there no way to read the payload response when performing a POST?
Hi Julien
Thanks for the scripts. I am having a few issues while trying to use them, not sure if I am following the right steps.
Did not work code:
mymac:AJPy cd$ python tomcat.py version 10.2.2.11 --port 20022 usage: tomcat.py [-h] [--port PORT] [-v] {bf,upload,undeploy,version,list,read_file} ... target tomcat.py: error: unrecognized arguments: 10.2.2.11 --port
mymac:AJPy cd$ python tomcat.py list 10.2.2.11 Traceback (most recent call last): File "tomcat.py", line 355, in <module> bf = Tomcat(args.target, args.port) File "tomcat.py", line 78, in __init__ self.socket.connect((target_host, target_port)) ConnectionRefusedError: [Errno 61] Connection refused
This server was vulnerable but the script came back with no.
mymac:AJPy chandan$ python tomcat.py version 10.2.2.12 None
Hi Julien,
I am about to package AJPy for Debian, but found out that the license of AJPy isn't well defined. The header in ajp.py looks like a BSD license, but since you didn't include it completely, I can't know if it's a BSD-2, 3 or 4 clause. Can you clarify this point?
Thanks for your work !
Oy!
The credentials bruteforce feature silently fails due to multiple operations in test_password expecting bytes instead of str.
For example:
def test_password(self, user, password):
res = False
stop = False
self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + b64encode("%s:%s" % (user, password)).replace('\n', '')
b64encode is expecting bytes.
A script should be able to handle the following application servers:
Maybe create a ajpwn.py with modules.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.