Ghostcat

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

Small standalone Python exploit repository for Ghostcat (CVE-2020-1938) targeting Apache Tomcat over the AJP protocol. The repo contains only a README and one executable script, ghostcat.py. The script implements a custom AJP client using raw sockets and struct packing, performs an AJP liveness check via CPing/CPong, and then attempts file disclosure using multiple methods. The visible primary method crafts a FORWARD_REQUEST packet with request_uri plus malicious javax.servlet.include.path_info and javax.servlet.include.servlet_path attributes to read arbitrary files from the Tomcat server. The main routine iterates over requested file paths, tries three exploitation methods, parses returned content, prints successful output, and writes recovered data to local tmp/ghostcat_*.txt files. README examples show intended targets such as conf/tomcat-users.xml, WEB-INF/web.xml, and conf/server.xml, indicating credential and configuration theft as the main objective. Overall, this is a real network-based file-read exploit rather than a detector, with basic but functional operational capability.

This repository is a small standalone Python 3 exploit for Ghostcat, the Apache Tomcat AJP file inclusion vulnerability (CVE-2020-1938 / CNVD-2020-10487). It contains one code file and one README. The Python script implements low-level AJP/1.3 packet construction and parsing rather than using external libraries. Core components include helpers for packing/unpacking AJP strings, classes for AJP body and forward requests, response handling, and a Tomcat client wrapper that opens a socket to the target AJP listener. The exploit’s main capability is arbitrary file read (LFI) from a vulnerable Tomcat web application. It sends a crafted AJP forward request to the target host and port, then injects three servlet include attributes—javax.servlet.include.request_uri, javax.servlet.include.path_info, and javax.servlet.include.servlet_path—to coerce Tomcat into returning the contents of a chosen file. By default it requests WEB-INF/web.xml, but the operator can supply another relative path with the -f argument. The script prints the returned file contents directly. Repository structure is minimal: README.md explains the vulnerability, usage, and mitigations; CNVD-2020-10487-Tomcat-Ajp-lfi.py is the executable PoC. There is no framework integration, no persistence, no post-exploitation automation, and no built-in RCE payload. Although the README mentions that Ghostcat can be chained with an upload flaw for JSP-based RCE, this repository only implements the LFI stage. Overall, this is an operational network exploit PoC targeting exposed Tomcat AJP services, primarily useful for unauthorized file disclosure validation.

This repository is a small standalone Python proof-of-concept exploit for CVE-2020-1938 (Ghostcat), targeting Apache Tomcat's AJP connector. It contains two files: a Python exploit script and a minimal README with usage instructions. The main file, CVE-2020-1938.py, implements low-level AJP packet construction and parsing rather than relying on external libraries. It defines helpers for packing/unpacking AJP strings and messages, classes for AJP body requests and forward requests, response handling, and a Tomcat client wrapper that connects to a user-supplied host and port. The exploit's core capability is arbitrary file read via crafted AJP ForwardRequest attributes. It sends a request to the target AJP service, defaulting to TCP port 8009, and injects req_attribute entries for javax.servlet.include.request_uri, javax.servlet.include.path_info, and javax.servlet.include.servlet_path. By setting path_info to a chosen file such as WEB-INF/web.xml, the script coerces Tomcat into including and returning the file contents in the response. The script prints the disclosed content to stdout. Operationally, the user supplies a target hostname/IP, optional AJP port, and optional file path. The default target file is WEB-INF/web.xml, which is commonly used to verify exploitation. This is a real exploit, not merely a detector, because it actively performs the protocol interaction and retrieves file contents from the vulnerable server. The code is functional and self-contained, but the payload is fixed to file disclosure rather than broader post-exploitation, so OPERATIONAL is the best maturity fit.

This repository provides a Python-based exploit for CVE-2020-1938 (Ghostcat), a critical vulnerability in Apache Tomcat's AJP connector. The main exploit script, 'ghostcat.py', enables attackers to read arbitrary files from Tomcat servers by crafting and sending malicious AJP protocol packets. The tool supports multi-threaded scanning, custom wordlists for file enumeration, upload point detection (to identify possible RCE vectors), and can generate JSP webshell payloads for post-exploitation. The exploit is operational and can be used for both single-target and batch scanning. The code is self-contained, requires only Python 3.6+, and does not depend on external libraries. The repository also includes a debug version of the exploit ('poc_debug.py') for verbose output and troubleshooting. The exploit targets Tomcat servers with the AJP connector exposed (default port 8009) and is effective against versions 7.0.0-7.0.99, 8.5.0-8.5.50, and 9.0.0.M1-9.0.0.30. No hardcoded IPs or domains are present; the tool is designed for flexible targeting via command-line arguments.

This repository contains a single Python script (CVE-2020-1938.py) that exploits the Apache Tomcat AJP connector Local File Inclusion (LFI) vulnerability, also known as Ghostcat (CVE-2020-1938). The script crafts and sends AJP protocol requests to a specified host and port (default 8009), abusing the AJP protocol's handling of servlet include attributes to read arbitrary files from the Tomcat server's filesystem. The default file targeted is WEB-INF/web.xml, but this can be changed via a command-line argument. The script requires the attacker to specify the target host, and optionally the port and file to read. The exploit is a proof-of-concept and demonstrates the ability to retrieve sensitive files from vulnerable Tomcat servers. No detection or fake code is present; the script is a functional exploit.

This repository is a comprehensive exploit library (exphub) containing operational exploit scripts for a wide range of high-profile vulnerabilities affecting popular enterprise software. The structure is organized by product (e.g., drupal/, f5/, fastjson/, jboss/, nexus/, ofbiz/, shiro/, solr/, spring/, struts2/, tomcat/, weblogic/), with each directory containing Python or Java scripts for specific CVEs. The scripts are primarily remote code execution (RCE) exploits, but also include file read, webshell upload, SSRF, and administrative bypasses. Many scripts provide interactive shells or allow arbitrary command execution, and some require authentication. The repository includes both proof-of-concept (POC) and full exploit scripts, with detailed usage instructions embedded in the code and readme files. The attack vector is predominantly network-based, targeting HTTP(S) endpoints, and the scripts are suitable for both vulnerability validation and exploitation. The codebase is mature, with operational exploits for each vulnerability, and is a valuable resource for penetration testers and red teamers.

This repository is a Python-based exploitation toolkit targeting Apache Tomcat servers. The main script, TomcatScanPro.py, automates detection and exploitation of several vulnerabilities and misconfigurations: 1. CVE-2017-12615: Exploits the HTTP PUT method to upload a JSP webshell using three different path tricks. After upload, it attempts to access and execute the shell to verify remote code execution. 2. CNVD-2020-10487: Exploits the AJP protocol to perform local file inclusion (LFI), by default reading WEB-INF/web.xml, with the ability to customize the file path and success keyword. 3. Weak Password Brute-Force: Attempts to brute-force Tomcat Manager credentials using provided username and password lists. Upon successful login, it uploads a WAR package containing a Godzilla JSP webshell for persistent remote code execution. The tool supports concurrent scanning of multiple targets, configurable via a YAML file. All successful exploitation attempts are logged to success.txt. The payloads are customizable, and the default shell is a Godzilla JSP shell supporting AES-encrypted payloads. The repository includes sample data files for URLs, usernames, and passwords, as well as configuration and requirements files. The tool is operational and can be used for both vulnerability assessment and exploitation of Tomcat servers.

This repository provides two Python proof-of-concept (POC) scripts to exploit CVE-2020-1938 (Ghostcat), a file inclusion and file read vulnerability in Apache Tomcat's AJP protocol. The scripts, 'Tomcat-ROOT路径下文件包含(CVE-2020-1938).py' and 'Tomcat-ROOT路径下文件读取(CVE-2020-1938).py', allow an attacker to send crafted AJP requests to a Tomcat server, abusing the AJP connector (default port 8009) to read or include arbitrary files from the server's filesystem. The scripts take as arguments the target host, port, and file path to read/include. The included 'test.txt' is a sample JSP webshell payload that could be used in conjunction with the file inclusion vector for remote code execution. The repository is structured with a README (usage instructions and references), two main exploit scripts (Python 2), and a sample payload file. The exploit is network-based, targeting Tomcat servers with exposed AJP connectors, and demonstrates the risk of information disclosure and potential RCE if attacker-controlled files are included.

This repository contains a proof-of-concept exploit for CVE-2020-1938 (Ghostcat), a critical file read/inclusion vulnerability in Apache Tomcat's AJP connector. The main exploit is implemented in 'CVE-2020-1938.py', a Python script that communicates directly with the Tomcat AJP port (default 8009) to abuse the 'javax.servlet.include.*' request attributes, allowing arbitrary file reads from the web application directory. The exploit can retrieve sensitive files such as 'WEB-INF/web.xml'. If the web application allows file uploads, this vulnerability can be leveraged for remote code execution by uploading a malicious JSP file and including it via the AJP protocol. The repository also includes a detailed markdown writeup ('CVE-2020-1938.md') explaining the vulnerability, affected versions, exploitation steps, and mitigation strategies. The exploit targets Apache Tomcat versions 7.0.0 to 7.0.99, 8.5.0 to 8.5.50, and 9.0.0.M1 to 9.0.0.30 with the AJP connector enabled and accessible. The attack vector is network-based, requiring access to the AJP port. No framework is used; the exploit is a standalone Python script.

This repository contains a Python exploit script (CVE-2020-1938.py) targeting the Apache Tomcat AJP protocol vulnerability (CVE-2020-1938, also known as 'Ghostcat'). The exploit abuses the AJP connector (default port 8009) to perform Local File Inclusion (LFI), allowing an attacker to read arbitrary files from the Tomcat server. The script allows the user to specify the target host, AJP port, and file path to read. It constructs and sends specially crafted AJP requests to the target, leveraging the vulnerability to retrieve the contents of sensitive files (default: WEB-INF/web.xml). The README notes that, under certain conditions, the exploit may also allow file inclusion that could lead to command execution, but the primary function is file reading. The repository consists of the main exploit script and a README file. No hardcoded IPs or domains are present; the script is designed for flexible targeting by the user.

This repository provides a multi-stage Python exploit toolkit for CNVD-2020-10487 (Ghostcat), a Local File Inclusion (LFI) vulnerability in Apache Tomcat's AJP protocol. The toolkit includes: - CNVD-2020-10487-Tomcat-Ajp-lfi.py: A standalone exploit script that targets a single Tomcat server, sending crafted AJP requests to read arbitrary files (default: WEB-INF/web.xml). - threading-find-port-8009.py: A multi-threaded scanner that checks a list of domains/IPs (from ip.txt) for open AJP ports (8009), outputting results to 8009.txt. - threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py: A multi-threaded exploit that reads from 8009.txt, attempts the LFI exploit on each host, and writes vulnerable hosts to vul.txt. - ip.txt: A sample list of target domains/IPs. - README.md: Usage instructions and workflow. The exploit works by abusing the AJP protocol to set specific request attributes (javax.servlet.include.request_uri, javax.servlet.include.path_info, javax.servlet.include.servlet_path), tricking Tomcat into including arbitrary files in the response. The toolkit is operational, supports multi-threaded scanning and exploitation, and is suitable for mass testing of large domain lists. No fake or destructive code is present; the scripts are focused on file read (LFI) exploitation only.

This repository contains a Python exploit script (ajpShooter.py) and a README.md for CVE-2020-1938 (Ghostcat), a vulnerability in Apache Tomcat's AJP protocol. The exploit leverages the ability to set arbitrary request attributes via the AJP protocol, allowing attackers to read arbitrary files from the server or execute files if the server is vulnerable. The script is run from the command line and requires the target's base URL, AJP port, and the file to read or execute. It supports custom HTTP methods, headers, and output to file. The README provides usage instructions and context. The main attack vector is network-based, targeting the AJP port (default 8009) on Tomcat servers. The repository is operational and provides a working exploit for security testing.

This repository is a Tomcat vulnerability exploitation toolkit with a Java GUI (JavaFX) and supporting Python script for AJP exploitation. It targets multiple vulnerabilities in Apache Tomcat: 1. **CVE-2017-12615 (PUT file upload)**: The tool attempts to upload a file (potentially a webshell) to the target Tomcat server using the HTTP PUT method. It then verifies if the upload was successful by attempting to access the uploaded file. 2. **Weak password brute-force**: The tool brute-forces Tomcat Manager or similar endpoints using configurable username and password lists (provided in `username.txt` and `password.txt`). 3. **CVE-2020-1938 (AJP file read/include)**: The toolkit includes a Python script (`ajpVul.py`) that exploits the AJP protocol to read arbitrary files or attempt remote code execution via file inclusion. The Java GUI calls this script as a subprocess. The main entry point is `main.java`, which launches a JavaFX GUI. The GUI allows users to configure proxies, set brute-force dictionaries, and launch the various exploits. The code is modular, with separate controllers for each exploit type and for proxy/dictionary configuration. The toolkit supports both HTTP and SOCKS proxies for network requests. **Notable endpoints and files:** - `/manager/html`: Target for brute-force attacks. - `/1092wxa.txt`: Test file for PUT upload. - `WEB-INF/web.xml`: Default file for AJP file read. - `config/ajpVul.py`: Python script for AJP exploitation. - TCP port 8009: Default AJP port. **Purpose:** The repository is designed for security testing of Apache Tomcat servers, providing detection and exploitation capabilities for several well-known vulnerabilities. It is intended for use by security professionals for penetration testing and self-assessment of Tomcat deployments.