CVE-2022-24112

This exploit leverages CVE-2022-24112 in Apache APISIX to achieve remote code execution by injecting a malicious Lua function into the `filter_func` parameter of a route configuration. The payload establishes a reverse shell to the attacker's specified host and port.

This repository provides a writeup and nuclei template for CVE-2022-24112, an RCE vulnerability in Apache APISIX's batch-requests plugin. The exploit leverages unauthorized access to execute malicious scripts or filter functions, similar to CVE-2021-45232.

This exploit leverages CVE-2022-24112 in Apache APISIX by abusing the batch-requests plugin to bypass IP restrictions and execute arbitrary commands via a crafted route configuration. The PoC sends a reverse shell payload to the target.

This repository contains a working proof-of-concept exploit for CVE-2022-24112, an RCE vulnerability in Apache APISIX versions prior to 2.12.1. The exploit leverages the `filter_func` parameter to execute arbitrary commands, resulting in a reverse shell.

This PoC exploits CVE-2022-24112, an RCE vulnerability in Apache APISIX via batch-requests. It sends a crafted payload to execute arbitrary commands on the target system.

This Go-based exploit leverages CVE-2022-24112 to achieve RCE in Apache APISIX by registering a malicious route with a Lua script via the batch-requests plugin. It uses a race condition to bypass admin key validation and execute arbitrary commands.

This repository contains two Python-based PoC exploits for CVE-2022-24112, targeting Apache APISIX versions 1.3 to 2.12.1. The exploits leverage the batch-requests plugin to bypass Admin API IP restrictions and achieve remote code execution via a crafted filter_func payload.

This PoC exploits CVE-2022-24112 in Apache APISIX by bypassing IP restrictions and using the default admin API token to achieve remote code execution via a crafted batch request.

This PoC exploits CVE-2022-24112, a vulnerability in Apache APISIX, by injecting a malicious Lua filter function to achieve remote code execution (RCE). The exploit consists of two scripts: the first creates a malicious route, and the second triggers the payload to establish a reverse shell.

This is a functional Python PoC for CVE-2022-24112, exploiting a Lua code injection vulnerability in Apache APISIX 2.12.x via the `filter_func` field in the admin API. It injects a malicious route that executes arbitrary system commands via `io.popen` and returns the output.

This PoC exploits CVE-2022-24112, an RCE vulnerability in Apache APISIX via the batch-requests endpoint. It sends a crafted base64-encoded payload to execute arbitrary commands, demonstrated with a DNS callback.

This repository contains a functional Go-based exploit for CVE-2022-24112, leveraging the batch-request plugin in Apache APISIX to register an admin route with a malicious Lua script for remote code execution. The exploit uses a race condition to bypass authentication and execute arbitrary commands.