id: jolokia-info-disclosure

info:
  name: Jolokia - Information disclosure
  author: pussycat0x
  severity: medium
  reference:
    - https://thinkloveshare.com/hacking/ssrf_to_rce_with_jolokia_and_mbeans/
    - https://github.com/laluka/jolokia-exploitation-toolkit
  metadata:
    max-request: 16
  tags: jolokia,springboot,mbean,tomcat,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
      - "{{BaseURL}}/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"
      - "{{BaseURL}}/actuator/jolokia/read/java.lang:type=Memory"
      - "{{BaseURL}}/jolokia/read/java.lang:type=Memory"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
      - "{{BaseURL}}/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"

    matchers-condition: or
    matchers:
      - type: word
        name: memory
        words:
          - '"mbean":"java.lang:type=Memory"'

      - type: word
        name: implementation-vendor
        words:
          - '"attribute":"ImplementationVendor"'

      - type: word
        name: implementation-version
        words:
          - '"attribute":"ImplementationVersion"'

      - type: word
        name: implementation-name
        words:
          - '"attribute":"ImplementationName"'

      - type: word
        name: specification-vendor
        words:
          - '"attribute":"SpecificationVendor"'

      - type: word
        name: mbean-serverid
        words:
          - '"attribute":"MBeanServerId"'

      - type: word
        name: specification-name
        words:
          - '"attribute":"SpecificationName"'

      - type: word
        name: specification-version
        words:
          - '"attribute":"SpecificationVersion'

# digest: 490a00463044022054f6b6f25cb2bfd72d958a9c478faf29b4d96b1bd4b1bcb36216672ca6698fb2022029e78105502575873b392c968f23235714c76d3827ef3393a1f6930a293d21d7:922c64590222798bb761d5b6d8e72950