Share
## https://sploitus.com/exploit?id=98FA3964-11CF-5394-BD6E-9ED7F7452844
# PoC-Apisix

RCE via `serverless-pre-function` plugin when Admin API is exposed without authentication.

**Reported to [cveform.mitre.org](https://cveform.mitre.org)**

## Vulnerability

APISIX Admin API exposed without `admin_key_required: true` allows unauthenticated attackers to create routes with arbitrary Lua code execution.

## Usage

```bash
# Scan
./scanner.sh -t 
./scanner.sh -f targets.txt

# Exploit
./exploit.sh   [PROXY_PORT] [COMMAND]
./exploit.sh 127.0.0.1:9180 9080 id
```

## Mitigation

```yaml
# conf/config.yaml
deployment:
  admin:
    admin_key_required: true
    admin_key:
      - name: admin
        key: 
        role: admin
```

## Disclaimer

For authorized security testing only.