YAPIÔ¶³Ì´úÂëÖ´ÐÐ0 dayÎó²î

Ðû²¼Ê±¼ä 2021-07-09

0x00 Îó²î¸ÅÊö

CVE     ID


ʱ       ¼ä

2021-07-09

Àà       ÐÍ

RCE

µÈ      ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

  ËùÓа汾

¹¥»÷ÖØƯºó


¿ÉÓÃÐÔ

¸ß

Óû§½»»¥


ËùÐèȨÏÞ


PoC/EXP


ÔÚҰʹÓÃ

ÊÇ

 

0x01 Îó²îÏêÇé

image.png


YAPI ÊÇÒ»¸ö¸ßЧ¡¢Ò×Óᢹ¦Ð§Ç¿Ê¢µÄAPIÖÎÀíƽ̨£¬£¬£¬£¬Ö¼ÔÚΪ¿ª·¢¡¢²úÆ·¡¢²âÊÔÖ°Ô±Ìṩ¸üÓÅÑŵĽӿÚÖÎÀíЧÀÍ¡£¡£¡£¡£

2021Äê7ÔÂ8ÈÕ£¬£¬£¬£¬YAPI±»Åû¶±£´æÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐ0 dayÎó²î¡£¡£¡£¡£ÓÉÓÚmock¾ç±¾×Ô½ç˵ЧÀͶÔJS¾ç±¾¹ýÂ˲»ÑÏ£¬£¬£¬£¬µ¼ÖÂÓû§¿ÉÒÔÌí¼ÓÇëÇó´¦Öóͷ£¾ç±¾£¬£¬£¬£¬²¢Ôھ籾ÖÐÖ²Èë¶ñÒâÏÂÁ£¬£¬£¬×îÖÕÔì³ÉÔ¶³ÌÏÂÁîÖ´ÐС£¡£¡£¡£ÏÖÔÚ¸ÃÎó²îÒѱ»½©Ê¬ÍøÂçºÍľÂí´ó¹æģʹÓᣡ£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ´ËÎó²îÔÝÎÞ²¹¶¡¡£¡£¡£¡£½¨ÒéÆÚ´ý¹Ù·½Ðû²¼²¹¶¡£¬£¬£¬£¬²¢Ó¦ÓÃÒÔÏ»º½â²½·¥£º

l  ¹Ø±ÕYAPIÓû§×¢²á¹¦Ð§ £»£»£»£»£»£»£»

l  ɾ³ýÒÑ×¢²áµÄ¶ñÒâÕË»§ £»£»£»£»£»£»£»

l  ɾ³ý¶ñÒâmock¾ç±¾ £»£»£»£»£»£»£»

l  »Ø¹öЧÀÍÆ÷¿ìÕÕ¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://github.com/YMFE/yapi

 

0x03 ²Î¿¼Á´½Ó

https://github.com/YMFE/yapi/issues/2229

https://github.com/YMFE/yapi

https://s.tencent.com/research/report/76

 

0x04 ʱ¼äÏß

2021-07-08  Îó²îÅû¶

2021-07-09  VSRCÐû²¼Ç徲ͨ¸æ

0x05 ¸½Â¼

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png