Share
## https://sploitus.com/exploit?id=98FA3964-11CF-5394-BD6E-9ED7F7452844
# PoC-Apisix
RCE via `serverless-pre-function` plugin when Admin API is exposed without authentication.
**Reported to [cveform.mitre.org](https://cveform.mitre.org)**
## Vulnerability
APISIX Admin API exposed without `admin_key_required: true` allows unauthenticated attackers to create routes with arbitrary Lua code execution.
## Usage
```bash
# Scan
./scanner.sh -t
./scanner.sh -f targets.txt
# Exploit
./exploit.sh [PROXY_PORT] [COMMAND]
./exploit.sh 127.0.0.1:9180 9080 id
```
## Mitigation
```yaml
# conf/config.yaml
deployment:
admin:
admin_key_required: true
admin_key:
- name: admin
key:
role: admin
```
## Disclaimer
For authorized security testing only.