jkstatus-manager: JK Status Manager - Detect

日期: 2025-08-01 | 影响软件: jkstatus manager | POC: 已公开

漏洞描述

Exposed JKStatus manager which is a web-based tool that allows administrators to monitor and manage the connections between the Apache HTTP Server and the Tomcat application server.

PoC代码[已公开]

id: jkstatus-manager

info:
  name: JK Status Manager - Detect
  author: pdteam,DhiyaneshDk
  severity: low
  description: |
    Exposed JKStatus manager which is a web-based tool that allows administrators to monitor and manage the connections between the Apache HTTP Server and the Tomcat application server.
  reference:
    - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/JKStatus.java
  classification:
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 8
    vendor: apache
    product: tomcat
    shodan-query: html:"JK Status Manager"
  tags: config,jk,status,exposure,vuln

http:
  - method: GET

    headers:
      X-Forwarded-For: "127.0.0.1"
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/status"
      - "{{BaseURL}}/jkstatus"
      - "{{BaseURL}}/jkstatus-auth"
      - "{{BaseURL}}/jk-status"
      - "{{BaseURL}}/jkmanager"
      - "{{BaseURL}}/jkmanager-auth"
      - "{{BaseURL}}/jdkstatus"

    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - "JK Status Manager"
# digest: 4a0a004730450220446c0bcb52f7decf946942a4daba74f019160c06416c084f87d945acc26146e20221009035e1744b5f6402cd7703f8aa578ae2ac03c1aeed31136831efc4dcfc98c23e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/configs/jkstatus-manager.yaml