XSS attack appears in /xxl-job-admin/joblog/logDetailPage

p8ekf7hl  于 4个月前  发布在  其他
关注(0)|答案(1)|浏览(255)

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in format

Steps to reproduce the behavior

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript
cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/

Example malicious code
<script>alert(Test123);</script>

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page
Check the log by querying log id

Step 3: Alert will show here

kjthegm6

kjthegm61#

If you can go to this page, then you can do more things.

相关问题