Home

Awesome

AJPFuzzer - A command-line fuzzer for AJPv1.3

AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol (ajp13).

Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

How To Use it

  1. Download the latest AJPFuzzer jar from the releases page

  2. Execute the downloaded jar using:

     $ java -jar ajpfuzzer_v0.7.jar
    
  3. The tool will prompt a shell. By typing ?list, it is possible to list all available commands. At this point, you can connect to the target using:

     AJPFuzzer> connect 127.0.0.1 8009
    
  4. Then, you can send a CPing message (type 10) by simply typing '10' (no arguments are needed for this message)

     AJPFuzzer/127.0.0.1:8009> 10
    

The following screenshot illustrates the entire execution:

CPing message using AJPFuzzer

Obviously, it is possible to send more complex messages by specifying the appropriate test case and arguments. Please refer to ?list <command> for all details on a specific command.

For example, we can send a fully customized ForwardRequest type message using:

> forwardrequest 2 "HTTP/1.1" "/api/" 127.0.0.1 localhost porto 8009 false "Cookie:AAAA=BBBB" ""

It's also possible to send a ForwardRequest message fuzzing arbitrary elements:

> genericfuzz 2 "HTTP/1.1" "/test.html" "127.0.0.1" "127.0.0.1" "server.name.test" 8009 false "Cookie:AAAA=BBBB" "secret:FUZZ" /tmp/list.txt

ForwardRequest message using AJPFuzzer

Available test cases and further customization.

As of today, AJPFuzzer provides the following test cases:

IdNameDescription
1bodySend a body message from the web server to the J2EE container
2forwardrequestBegin the request processing cycle from the web server to the J2EE container
3sendbodychunkSend a chunk of the body from the J2EE container to the web server
4sendheadersSend the response headers from the J2EE container to the web server
5endresponseMark the end of the response, from the J2EE container to the web server
6getbodychunkGet further data from the requestor. Message from the J2EE container to the web server
7shutdownSend a standard shutdown AJP13 packet
8pingSend a ping (ping != CPing) AJP13 packet
9cpongSend a CPong AJP13 packet
10cpingSend a CPing AJP13 packet
11forwardreqalltypesSend a ForwardRequest AJP13 packet, with all possible packet types
12verbtamperingSend multiple requests via AJP13 and do HTTP Verb Tampering, to detect potential authentication bypass flaws
13jettyleakSend a JettyLeak style AJP13 packet
14hugelengthsmallbodySend ForwardRequest+Body messages, with a big Content-Length and small Body
15hugeheaderSend two AJP13 ForwardRequest packets with header length greater than 0x9999 (e.g. A010)
16fuzzbitCreate a complex AJP13 ForwardRequest and start bit flipping
17fuzzsliceCreate an AJP13 ForwardRequest, SendHeaders, ShutDown, 0xFF, 0x00. Slice and send.
18servletpathCreate an AJP13 ForwardRequest with arbitrary 'servlet_path' attribute
19bypassauthnullCreate two AJP13 ForwardRequest with auth_type set to 'null'
20envarsCreate an AJP13 ForwardRequest with req_attribute_code (10) in order to set arbitrary environmental variables
21hugepacketsizeCreate two AJP13 requests with size > 8192 bytes
22genericfuzzCreate an AJP13 ForwardRequest (GET) that allows fuzzing arbitrary message elements using the FUZZ keyword

New test cases can be added by extending the AJPTestCases.java class. Using the @Command annotation, the tool will recognize the additional command and make it available from the CLI.