Added jolokia templates (#3915)

* Added jolokia templates

* lint fixes

* Rename jolokia-write-to-rce-vmLog.yaml to jolokia-write-to-rce-vmlog.yaml

* more strict matchers

* Added version extractor

* template id update

* misc matcher update

* template matcher update

* template id template

* misc update

---------

Co-authored-by: sandeep <sandeep@projectdiscovery.io>
Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>

http/misconfiguration/jolokia/jolokia-info-disclosure.yaml

@@ -10,30 +10,28 @@ info:
     - https://github.com/laluka/jolokia-exploitation-toolkit
   metadata:
     max-request: 16
-  tags: jolokia,springboot,mbean,tomcat,misconfig
+  tags: jolokia,springboot,mbean,misconfig
 
 http:
   - method: GET
     path:
-      - "{{BaseURL}}{{paths}}"
+      - "{{BaseURL}}{{jolokia_paths}}{{mbean_paths}}"
+
+    attack: clusterbomb
     payloads:
-      paths:
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
-        - "/actuator/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"
-        - "/actuator/jolokia/read/java.lang:type=Memory"
-        - "/jolokia/read/java.lang:type=Memory"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
-        - "/jolokia/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"
+      jolokia_paths:
+        - "/jolokia"
+        - "/actuator/jolokia"
+
+      mbean_paths:
+        - "/read/JMImplementation:type=MBeanServerDelegate/ImplementationName"
+        - "/read/JMImplementation:type=MBeanServerDelegate/ImplementationVendor"
+        - "/read/JMImplementation:type=MBeanServerDelegate/ImplementationVersion"
+        - "/read/JMImplementation:type=MBeanServerDelegate/MBeanServerId"
+        - "/read/JMImplementation:type=MBeanServerDelegate/SpecificationName"
+        - "/read/JMImplementation:type=MBeanServerDelegate/SpecificationVendor"
+        - "/read/JMImplementation:type=MBeanServerDelegate/SpecificationVersion"
+        - "/read/java.lang:type=Memory"
 
     matchers-condition: or
     matchers:

http/technologies/jolokia-detect.yaml

@@ -1,7 +1,7 @@
 id: jolokia-detect
 
 info:
-  name: Jolokia Version Disclosure
+  name: Jolokia Detection
   author: mavericknerd,dwisiswant0
   severity: info
   metadata:
@@ -12,7 +12,9 @@ http:
   - method: GET
     path:
       - '{{BaseURL}}/jolokia/version'
+      - '{{BaseURL}}/actuator/jolokia/version'
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word
@@ -25,4 +27,8 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a004630440220465383d7126bd514d2a816ab9a1231ff0e1fa097cc567620def05f939de3df850220033d6e54640a4babca3ab2ee730cde7a3c01c8fd974f19e78b40c466c119f918:922c64590222798bb761d5b6d8e72950
+
+    extractors:
+      - type: json
+        json:
+          - '.value.agent'

http/vulnerabilities/jolokia/jolokia-acceslogvalve-rce.yaml

@@ -0,0 +1,27 @@
+id: jolokia-acceslogvalve-rce
+
+info:
+  name: Jolokia write to RCE valve
+  author: pathtaga
+  severity: critical
+  description: RCE in Jolokia < 1.7.1 using AccesLogValve
+  tags: jolokia,rce
+  reference:
+    - https://github.com/laluka/jolokia-exploitation-toolkit
+    - https://therealcoiffeur.github.io/c11011
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/jolokia/list"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "\"host=localhost,name=AccessLogValve,type=Valve\""

http/vulnerabilities/jolokia/jolokia-createstandardhost-rce.yaml

@@ -0,0 +1,29 @@
+id: jolokia-createstandardhost-rce
+
+info:
+  name: Jolokia file write to RCE jfr
+  author: laluka,pathtaga
+  severity: critical
+  description: File read and file write to RCE by deploying a vhost with MBeanFactory/createStandardHost and DiagnosticCommand/jfrStart
+  tags: jolokia,rce
+  reference:
+    - https://github.com/laluka/jolokia-exploitation-toolkit
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/jolokia/list"
+      - "{{BaseURL}}/jolokia/list"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "\"desc\":\"Create a new StandardHost\""
+          - "\"desc\":\"Array of Diagnostic Commands Arguments and Options\""
+        condition: and

http/misconfiguration/jolokia/jolokia-unauthenticated-lfi.yaml → http/vulnerabilities/jolokia/jolokia-file-read-compilerdirectivesadd.yaml

@@ -1,7 +1,7 @@
-id: jolokia-unauthenticated-lfi
+id: jolokia-file-read-compilerdirectivesadd
 
 info:
-  name: Jolokia - Local File Inclusion
+  name: Jolokia - CompilerDirectivesAdd File Read
   author: dhiyaneshDk
   severity: high
   description: Jolokia is vulnerable to local file inclusion via compilerDirectivesAdd.

http/vulnerabilities/jolokia/jolokia-heap-info-disclosure.yaml

@@ -28,7 +28,7 @@ http:
 
     matchers:
       - type: word
+        part: body
         words:
           - 'stacktrace":"java.io.IOException: No such file or directory'
-        part: body
 # digest: 4a0a004730450220648f4dbbb25ef497eb6c8902c5bd912cd3982eb01bb69ea90872844eeaf8aed1022100ff9e5e5f4355a9075d99c5979af1a3093748d863ef3f862b70664852baaeeb6c:922c64590222798bb761d5b6d8e72950

http/vulnerabilities/jolokia/jolokia-tomcat-creds-leak.yaml

@@ -0,0 +1,37 @@
+id: jolokia-tomcat-creds-leak
+
+info:
+  name: Jolokia <= 1.7.1 Information Leakage
+  author: pathtaga
+  severity: critical
+  description: Tomcat's credential disclosure leading to Remote Code Execution via WAR upload.
+  tags: jolokia,tomcat,exposure
+  reference:
+    - https://github.com/laluka/jolokia-exploitation-toolkit/blob/main/exploits/info-leak-tomcat-creds.py
+    - https://therealcoiffeur.github.io/c11011
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/jolokia/read/Users:database=UserDatabase,type=UserDatabase"
+      - "{{BaseURL}}/actuator/jolokia/read/Users:database=UserDatabase,type=UserDatabase"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '"mbean":"Users:database=UserDatabase,type=UserDatabase"'
+          - '"users":'
+        condition: and
+
+      - type: word
+        part: body
+        words:
+          - '"users":[]'
+        negative: true