kong-exploit

该技能是面向 AI 代理的 Kong/Konga/Insomnia 漏洞利用手册，直接提供 SSRF、提权、未授权管理和 RCE 步骤，并以读取后端配置与凭据为后利用目标。供应链迹象很少，但其实际能力与进攻用途高度危险，应归类为高风险、可被滥用的 exploit skill，而非正常开发辅助技能。

This code is explicitly an offensive PoC/exploit for Konga privilege escalation: it authenticates, then crafts an API request that directly attempts to flip an authorization field (admin) to gain elevated access. It also disables TLS verification and suppresses warnings, and it prints the authentication token to stdout, increasing operational risk of credential leakage. The second mentioned vulnerability (Insomnia template injection RCE) is not implemented in the shown executable logic.

This code fragment is highly indicative of malicious exploit tooling. It automates unauthorized exposure of Kong’s Admin API into a full SSRF proxy workflow by programmatically creating Services/Routes that forward requests to attacker-selected internal/cloud metadata endpoints, then triggers the behavior through Kong’s proxy interface. Presence of post-exploitation cleanup further supports malicious intent. It should not be used as a dependency and should be treated as high risk if found in a supply chain.