Environment
MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)
Vulnerability Information
During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in format
Steps to reproduce the behavior
Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascriptcd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/
Example malicious code<script>alert(Test123);</script>
Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page
Check the log by querying log id
Step 3: Alert will show here
1条答案
按热度按时间kjthegm61#
If you can go to this page, then you can do more things.