Apache APISIX 2.12.x Remote Code Execution (RCE) Exploit This Python script is a Proof-of-Concept (PoC) for a remote code execution (RCE) vulnerability in Apache APISIX versions 2.12.0 and 2.12.1. The vulnerability lies in the misuse of the filter_func Lua field within the admin API, allowing an attacker to inject arbitrary Lua code that executes system commands via io.popen. The response from the command is returned in the HTTP response using ngx.say(). ⚠️ DISCLAIMER: This tool is intended for authorized testing and educational purposes only. Do not use it on systems you do not own or have explicit permission to test. 🧰 Requirements Python 3.6+ requests library (pip install requests) 🚀 Usage 📁 File Name exploit.py 🔧 Syntax bash python3 exploit.py -d <target_domain_or_ip> -p <port> -c <command> bash python3 exploit.py -d 127.0.0.1 -p 9080 -c id python3 exploit.py –domain 192.168.1.100 –cmd "uname -a" python3 exploit.py -d vulnerable.host.local -c "cat…Read More
Exploit for Authentication Bypass by Spoofing in Apache Apisix
