Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-24112 PoC — apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Source
https://github.com/wshepherd0010/CVE-2022-24112-Lab
Associated Vulnerability
Title:apisix/batch-requests plugin allows overwriting the X-REAL-IP header (CVE-2022-24112)
Description:An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
File Snapshot

 [4.0K]  /data/pocs/81063e1e87e2211d6cff58ab4c2f5136c78a75ac
├── [4.0K]  docker-files
│   ├── [4.0K]  apisix_conf
│   │   └── [1.8K]  config.yaml
│   ├── [4.0K]  apisix_log
│   ├── [4.0K]  dashboard_conf
│   │   └── [3.9K]  conf.yaml
│   ├── [2.1K]  docker-compose-alpine.yml
│   ├── [2.8K]  docker-compose.yml
│   ├── [4.0K]  etcd_conf
│   │   └── [4.2K]  etcd.conf.yml
│   ├── [4.0K]  grafana_conf
│   │   ├── [4.0K]  config
│   │   │   └── [ 26K]  grafana.ini
│   │   ├── [4.0K]  dashboards
│   │   │   └── [ 52K]  apisix-grafana-dashboard.json
│   │   └── [4.0K]  provisioning
│   │       ├── [4.0K]  dashboards
│   │       │   └── [ 958]  all.yaml
│   │       └── [4.0K]  datasources
│   │           └── [ 955]  all.yaml
│   ├── [4.0K]  mkcert
│   │   ├── [1.7K]  lvh.me+1-key.pem
│   │   ├── [1.5K]  lvh.me+1.pem
│   │   ├── [2.4K]  rootCA-key.pem
│   │   └── [1.6K]  rootCA.pem
│   ├── [4.0K]  prometheus_conf
│   │   └── [1.6K]  prometheus.yml
│   └── [4.0K]  upstream
│       ├── [ 372]  web1.conf
│       └── [ 372]  web2.conf
└── [7.9K]  setup.sh

14 directories, 17 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →