Metasploit also has a module for JMXInvokerServlet, which can be loaded using the following command:
Use exploit/multi/http/jboss_invoke_deploy
Before using this exploit module, we need to make sure that the /invoker/JMXInvokerServlet URI path exists on the server. If the path doesn't exist, the exploit will fail. The following screenshot shows the output of the preceding command:
To see whether the /invoker/JMXInvokerServlet URI path exists, we can use the following command for confirmation:
If the server responds with serialized data in the form of bytes, starting with ac ed, we can run the exploit, which will give us access to the server via Meterpreter, as we can see in the following screenshot:
Note: In cases where we are not able to get a successful reverse shell, we can always opt for bind shell connections.