id: jolokia-info-disclosure

info:
  name: Jolokia - Information disclosure
  author: pussycat0x
  severity: medium
  description: Jolokia - Information is exposed.
  reference:
    - https://thinkloveshare.com/hacking/ssrf_to_rce_with_jolokia_and_mbeans/
    - https://github.com/laluka/jolokia-exploitation-toolkit
  metadata:
    max-request: 16
  tags: jolokia,springboot,mbean,tomcat,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"
        - "/actuator/jolokia/read/java.lang:type=Memory"
        - "/jolokia/read/java.lang:type=Memory"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"

    matchers-condition: or
    matchers:
      - type: word
        name: memory
        words:
          - '"mbean":"java.lang:type=Memory"'

      - type: word
        name: implementation-vendor
        words:
          - '"attribute":"ImplementationVendor"'

      - type: word
        name: implementation-version
        words:
          - '"attribute":"ImplementationVersion"'

      - type: word
        name: implementation-name
        words:
          - '"attribute":"ImplementationName"'

      - type: word
        name: specification-vendor
        words:
          - '"attribute":"SpecificationVendor"'

      - type: word
        name: mbean-serverid
        words:
          - '"attribute":"MBeanServerId"'

      - type: word
        name: specification-name
        words:
          - '"attribute":"SpecificationName"'

      - type: word
        name: specification-version
        words:
          - '"attribute":"SpecificationVersion'
# digest: 4a0a0047304502201f5645f52c2d35c5b5fde6fca3eeba64c0c00bfbc3d31f5302da76a58831d471022100c037a4faff65717fb81d4cac49f573788ef86678acaafec2cf04731f0e8d6763:922c64590222798bb761d5b6d8e72950