Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to reproduce unauthorized access to RCE vulnerabilities in the XXL-JOB API interface. The content of the article is clear and well-organized. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

XXL-JOB description

XXL-JOB is a lightweight distributed task scheduling platform, and its core design goal is rapid development, easy learning, lightweight and easy to expand. Now open source code and access to a number of companies online product lines, out of the box.

I. details of the loophole

The core issue of this vulnerability is the GLUE mode. XXL-JOB supports multilingual and scripting tasks through "GLUE mode", which has the following characteristics:

● multilingual support: support Java, Shell, Python, NodeJS, PHP, PowerShell... And so on.

● Web IDE: tasks are maintained in the dispatch center with source code, and online development and maintenance are supported through Web IDE.

● dynamic effective: users online through the Web IDE development of the task code, remote push to the executor, real-time loading and execution.

As shown in the figure above, if the attack code is written in the GLUE mode task code, it can cause a remote attack by pushing it to the executor for execution.

[vulnerability description]

XXL-JOB 's Restful API interface or RPC interface is not configured with authentication measures, and unauthorized attackers can construct malicious requests, resulting in remote command execution.

[vulnerability rating]

High risk

[affected version]

XXL-JOB Maven installation depends-> configure deployment "scheduling Center"-> configure deployment "Actuator Project"-> complete deployment

Local development environment: Java8+Maven3.6

1. Download the source code from Github

Address: https://github.com/xuxueli/xxl-job/releases/tag/v2.2.0

2. Dependencies required for Maven download

Idea opens the extracted source code and automatically installs the related dependencies in pom. You can also use the maven command to download the required dependencies on the terminal.

3. Database configuration

The location of the scheduling database initialization SQL script is:

/ xxl-job/doc/db/tables_xxl_job.sql

Because mysql is not installed locally, it is installed using docker.

A) docker pull mysql:5.7

B) sudo docker run-p 3306 MYSQL_ROOT_PASSWORD=123456 3306-- name mysql-e MYSQL_ROOT_PASSWORD=123456-d mysql:5.7

In this way, we launch the mysql container with the account number root and the password 123456.

Use navicat to connect to the database

You can click on the lower left corner to complete the test connection. Right-click the imported database, select run SQL file, and click start to complete the database import.

4. Configure and deploy the Dispatch Center

Dispatch center project: xxl-job-admin

Function: unified management of scheduling tasks on the task scheduling platform, responsible for triggering scheduling execution, and providing task management platform. You can modify the database configuration in application.properties according to the actual situation.

Execute XxlJobAdminApplication to start the dispatch center

We use the recommended Springboot to manage the actuator

Look at the configuration file and find the xxl.job.executor.logpath parameter, which we can create or modify to prevent problems with program execution. The data path does not exist in the new Mac system, and it was found that creating path discovery using mkdir failed because Sip was turned off in the mac system and sudo mount-uw / was used to release Sip restrictions. Run XxlJobExecutorApplication to start the actuator. The browser opens / / localhost:8080/, to see the login interface to make sure it starts successfully. The default login account is "admin/123456".

Note:

It is recommended to create / data/applogs/xxl-job first, which is used in many configuration files in the program.

Modify the database configuration of the scheduling center

Linux/Unix can use lsof to view port occupancy and prevent startup failure

The dispatch center and actuator can be deployed separately according to the actual situation.

III. Recurrence of loopholes

Check the official documentation to see the description of the trigger task API in the executor RESTful API.

The task operation modes are as follows

View the GulueTypeEnum source code

So we use Burpsuite to construct our POC

Tips:

When modifying the glueSource, if the execution does not take effect, modify the jobId

When you restart the project, you find that the port starts abnormally. Please close BurpSuite.

Since the official version of XXL-JOB comes with authentication components, it ensures the security of the underlying communication of the system when enabled. The author of XXL-JOB said that under normal circumstances, the communication between the dispatching center and the actuator is secure, and there are no remote command vulnerabilities. However, if the executor does not open the access token, illegal scheduling requests cannot be recognized and intercepted. Malicious requestors can use GLUE mode to push malicious attack code to achieve remote attacks. Therefore, the author of XXL-JOB believes that the problem does not belong to a "loophole" in nature, and the official website version provides authentication components that can be protected as soon as they are enabled.

IV. Suggestions for restoration

1. Enable the authentication component that comes with XXL-JOB: search for "xxl.job.accessToken" in the official documents and enable it according to the documentation.

two。 Port access restrictions: only specified IP is allowed to access the port by configuring security group restrictions

Thank you for your reading. I believe you have some understanding of "how to reproduce unauthorized access to RCE vulnerabilities in the XXL-JOB API interface". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.