AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol (ajp13).
Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.
-
Download the latest AJPFuzzer jar from the releases page
-
Execute the downloaded jar using:
$ java -jar ajpfuzzer_v0.7.jar -
The tool will prompt a shell. By typing ?list, it is possible to list all available commands. At this point, you can connect to the target using:
AJPFuzzer> connect 127.0.0.1 8009 -
Then, you can send a CPing message (type 10) by simply typing '10' (no arguments are needed for this message)
AJPFuzzer/127.0.0.1:8009> 10
The following screenshot illustrates the entire execution:
Obviously, it is possible to send more complex messages by specifying the appropriate test case and arguments. Please refer to ?list for all details on a specific command.
For example, we can send a fully customized ForwardRequest type message using:
> forwardrequest 2 "HTTP/1.1" "/api/" 127.0.0.1 localhost porto 8009 false "Cookie:AAAA=BBBB" ""
It's also possible to send a ForwardRequest message fuzzing arbitrary elements:
> genericfuzz 2 "HTTP/1.1" "/test.html" "127.0.0.1" "127.0.0.1" "server.name.test" 8009 false "Cookie:AAAA=BBBB" "secret:FUZZ" /tmp/list.txt
As of today, AJPFuzzer provides the following test cases:
| Id | Name | Description |
|---|---|---|
| 1 | body | Send a body message from the web server to the J2EE container |
| 2 | forwardrequest | Begin the request processing cycle from the web server to the J2EE container |
| 3 | sendbodychunk | Send a chunk of the body from the J2EE container to the web server |
| 4 | sendheaders | Send the response headers from the J2EE container to the web server |
| 5 | endresponse | Mark the end of the response, from the J2EE container to the web server |
| 6 | getbodychunk | Get further data from the requestor. Message from the J2EE container to the web server |
| 7 | shutdown | Send a standard shutdown AJP13 packet |
| 8 | ping | Send a ping (ping != CPing) AJP13 packet |
| 9 | cpong | Send a CPong AJP13 packet |
| 10 | cping | Send a CPing AJP13 packet |
| 11 | forwardreqalltypes | Send a ForwardRequest AJP13 packet, with all possible packet types |
| 12 | verbtampering | Send multiple requests via AJP13 and do HTTP Verb Tampering, to detect potential authentication bypass flaws |
| 13 | jettyleak | Send a JettyLeak style AJP13 packet |
| 14 | hugelengthsmallbody | Send ForwardRequest+Body messages, with a big Content-Length and small Body |
| 15 | hugeheader | Send two AJP13 ForwardRequest packets with header length greater than 0x9999 (e.g. A010) |
| 16 | fuzzbit | Create a complex AJP13 ForwardRequest and start bit flipping |
| 17 | fuzzslice | Create an AJP13 ForwardRequest, SendHeaders, ShutDown, 0xFF, 0x00. Slice and send. |
| 18 | servletpath | Create an AJP13 ForwardRequest with arbitrary 'servlet_path' attribute |
| 19 | bypassauthnull | Create two AJP13 ForwardRequest with auth_type set to 'null' |
| 20 | envars | Create an AJP13 ForwardRequest with req_attribute_code (10) in order to set arbitrary environmental variables |
| 21 | hugepacketsize | Create two AJP13 requests with size > 8192 bytes |
| 22 | genericfuzz | Create an AJP13 ForwardRequest (GET) that allows fuzzing arbitrary message elements using the FUZZ keyword |
New test cases can be added by extending the AJPTestCases.java class. Using the @Command annotation, the tool will recognize the additional command and make it available from the CLI.