Apache APISIX Exploit Attempt - CVE-2022-24112

Apache APISIX is an API gateway that manages traffic for web servers. A default APISIX installation includes a batch-requests plugin, which performs actions on behalf of the user. The Admin API is restricted to local hosts. Within the default installation, the batch-requests plugin has an IP restriction bypass vulnerability that allows a remote attacker to perform administration actions on a web server, such as creating an endpoint to a malicious script. To exploit this vulnerability, an attacker sends a specially designed HTTP POST request to the plugin. This request includes the default Admin API key to perform administration actions, a payload such as a malicious script, and a forged x-real-ip value. Normally, the batch-requests plugin sets the IP address of the caller in the x-real-ip value. Instead, the plugin accepts the forged x-real-ip value, enabling the malicious POST request to be processed while bypassing the IP address restriction (1). The web server sends a response with a 200 status code and a payload that summarizes the administration actions that were completed (2).