---
title: "8009 - Ajp"
weight: 8009
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **8009 - Apache JServ (AJP)** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

Also interesting:

> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles

**默认 port:** 8009

```
PORT     STATE SERVICE
8009/tcp open  ajp13
```

### CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)

This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it.

The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100.

### 信息收集

#### Automatic

```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
```

#### [**Brute force**](../generic-hacking/brute-force.md#ajp)

### AJP 代理

#### Nginx Reverse 代理 + AJP

([Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version))

It's possible to communicate with an open AJP proxy port (8009 TCP) by using the Nginx `ajp_module` apache module and access the Tomat Manager from this port which could ultimately lead to 远程代码执行 in the vulnerable server.

- Start downloading Nginx from [https://nginx.org/en/download.html](https://nginx.org/en/download.html) and then compile it with the ajp module:

```bash
## Compile Nginx with the ajp module
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-version
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V
```

- Then, comment the `server` block and add the following in the `http` block in `/etc/nginx/conf/nginx.conf`.

```json
upstream tomcats {
	server <TARGET_SERVER>:8009;
	keepalive 10;
	}
server {
	listen 80;
	location / {
		ajp_keep_conn on;
		ajp_pass tomcats;
	}
}
```

- Finally, start nginx (`sudo nginx`) and check it works by accessing `http://127.0.0.1`

#### Nginx Dockerized-version

```bash
git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker
```

Replace `TARGET-IP` in `nginx.conf` witg AJP IP then build and run

```bash
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy
```

#### Apache AJP 代理

It's also possible to use an **Apache AJP proxy** to access that port instead of **Nginx**.

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="8009"
```

#### Shodan

```bash
# Shodan 搜索语法
port:8009
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:8009
```

---

## 📖 参考资料

- [HackTricks - 8009-ajp](https://book.hacktricks.wiki/en/network-services-pentesting/8009-ajp.html)