aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/yapi/mongodb-inj/README.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

961 B
Raw Permalink Blame History

YApi NoSQL injection and remote code execution

中文版本(Chinese version)

YApi is a API testing tools for enterprise. YApi which in the version prior to v1.12.0, are vulnerable to a NoSQL injection, as well as a remote code execution vulnerability. The remote attacker could steal project's token through NoSQL injection without authentication and use this token to execute the Mock script and get shell.

References:

Vulnerable Environment

Execute following command to start a YApi server v1.10.2:

docker compose up -d

After the server is started, you can browse the website at http://your-ip:3000/.

Exploit

The target in Vulhub is a ready-to-use server that contains some example data in MongoDB. So just use this POC to reproduce the issue:

python poc.py --debug one4all -u http://127.0.0.1:3000/