Hunting and Exploiting the Apache Ghostcat

The Apache Ghostcat vulnerability is a file inclusion vulnerability which came out in the first quarter of this year while the world was gearing up for a lockdown fight up against the coronavirus.

It allows any attacker to read files such as configuration files , test files or any other tomcat directory files . In addition, if a victim website permits any user to upload files, an attacker can upload the file containing malicious JSP code to the server and then include the uploaded file by exploiting the Ghostcat vulnerability, resulting in remote code execution. Well like the coronavirus’s family of viruses this ghostcat bug has also been there since a long long time and has managed to be undiscovered until the recent past. The context of the short blog post is to comprehend, identify and exploit this notorious bug.

The general idea of a Tomcat server has different ports set up . There’s of course the 8080 HTTP webservice port. Then there is another lesser known port 8009 which runs the AJP (Apache JServ Protocol) service. It is essentially a service implemented through tomcat and allows for performing different operations.

What is the AJP fuss all about…?

Well, the AJP is a binary protocol that reduces overhead for an application server in comparison to the HTTP. It is similar to HTTP but at a binary level. Since it is binary , the machine level translation is far more faster than the HTTP parsing. In short , AJP connector will be used due to:

  1. It being implemented and exposed by default by Tomcat.
  2. More persistance in reverse proxying requests performance and load balancing between front end and backend application servers.
  3. Tomcat’s rich API level implementations juices the developer to push for more faster protocol transversal i.e; HTTP(S) data is seamless and can be retrieved with simple API calls(like canonical getXYX()).
  4. AJP allows you to skip the additional parsing and pass efficient binary interpretation of the request headers between the proxy server and the app server.

Ways to detect the Ghostcat vulnerability

  1. You can use the online detection tool by the researchers that have published the finding. (Link:

2. The Manual way.

The Manual way of finding it:

As always in any manual penetration test we do perform an Nmap scan to detect open ports.

Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat issue.

Once we find the desired ports highlighted in the results above you can head to this github exploit page: and run the python exploit.

We are able to retrieve information. Now we can try to retrieve certain common files from the WEB-INF folder such as web.xml

We found a string (8730281lkjlkjdqlksalks)that appears as key which could possibly be used to login to system called ECorp with a key via an SSH session.

That’s it we can own the system and retrieve information from the user ECorp and can also possibly look for root level escalations if there are any misconfigurations in the system.

If the application server allows uploading files as well which is uncommon collectively in general , then we can upload WAR files such as :

and gain a code execution using this issue.

More on it here: (


Ghostcat continues to be one of the severe issues that can be troublesome just like the coronavirus. Threat actors may mass exploit using shodan dorks as well. The suggested mitigation would be to disable the port by commenting out the block of code that enables the port to listen on 8009 using AJP connector.

It is also recommended to upgrade to the following Apache versions that have applied a patch:

  1. Apache Tomcat Version 9.0.31
  2. Apache Tomcat Version 8.5.51
  3. Apache Tomcat Version 7.0.100

For the beginners to practice such vulnerabilities there are good platforms such as that have made excellent machines to solve and understand such new exploits. You can head over there and solve labs based on such vulnerabilities yourself.

Thanks for the read as always stay safe and healthy during these corona.war times :}.Peas out.

You can connect with me on :

Linkedin: and Twitter:

Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store