系统有bug,被人渗透攻击了
~1.7.0
~
lstz6jyr1#
gstyhher2#
服务器端口正常,日志正常,应该是该系统的api漏洞导致的
wz8daaqr3#
yapi/server/controllers/group.js
Lines 128 to 132 in bbf94b7
| | // 新版每个人都有权限添加分组 || | || | // if (this.getRole() !== 'admin') { || | // return (ctx.body = yapi.commons.resReturn(null, 401, '没有权限')); || | // } |
bz4sfanl4#
部署到内网,只允许内网自己人使用
j13ufse25#
mongodb设置了密码了吗?(好多人都不设置密码,mysql是必须有密码的,mongo可以没有)这些分组的内容全都是sql注入的语句,有可能不是yapi的问题,而是mongodb被写入了这些语句然后yapi读取后展示出来了而已。可以看下mongo的日志。
2q5ifsrm6#
跟mongodb没关系的,我们公司的运维封装的docker-compose启动的,mongodb对外根本没有端口暴露,更别说穿透公司防火墙了,就是从yapi服务本身的80端口入侵的,这个yapi的漏洞,随便人都可以注册,连个验证码都没有
q43xntqr7#
[cid:99257C51-A8B7-4E89-9C19-1996FAA94534] https://hellosean1025.github.io/yapi/devops/index.html#mongodb%e9%9b%86%e7%be%a4https://hellosean1025.github.io/yapi/devops/index.html#mongodb集群 在 2019年7月24日,16:02,ZhaoYu <notifications@github.commailto:notifications@github.com> 写道: 系统有bug,被人攻击了 版本号 ~ 1.7.0 什么问题 ~ [image]< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F20085825%2F61775871-5dfa7580-ae2c-11e9-8283-95f2c52e4a30.png&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731740614&sdata=sjBnLGESaQOWQZ%2B5jdpuGRFQ8Aa3KyGXpk9OUX5Wjoo%3D&reserved=0 > 如何复现此问题 ~ 什么浏览器 ~ 什么系统(Linux, Windows, macOS) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FYMFE%2Fyapi%2Fissues%2F1242%3Femail_source%3Dnotifications%26email_token%3DABAGQJ3WLMOTKH275U6EK63QBAECVA5CNFSM4IGNJ5E2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HBEHSAA&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731750619&sdata=jfLVW5vDO8APOJlbFAFxRMYWhB1hGyPP62Vqxtk3tN8%3D&reserved=0 >, or mute the thread< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABAGQJ4KWAFJYKJKQ2RA3ALQBAECVANCNFSM4IGNJ5EQ&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731760629&sdata=hGpEZIHfCEvyXCI7LosYMkJB6pfBMj1oSYLamNwPk%2FA%3D&reserved=0 >.
wfsdck308#
yapi不建议开放到公网环境
ruoxqz4g9#
https://github.com/YMFE/yapi/blob/master/docs/devops/index.md#%E7%A6%81%E6%AD%A2%E6%B3%A8%E5%86%8C
9条答案
按热度按时间lstz6jyr1#
gstyhher2#
服务器端口正常,日志正常,应该是该系统的api漏洞导致的
wz8daaqr3#
yapi/server/controllers/group.js
Lines 128 to 132 in bbf94b7
| | // 新版每个人都有权限添加分组 |
| | |
| | // if (this.getRole() !== 'admin') { |
| | // return (ctx.body = yapi.commons.resReturn(null, 401, '没有权限')); |
| | // } |
bz4sfanl4#
部署到内网,只允许内网自己人使用
j13ufse25#
mongodb设置了密码了吗?(好多人都不设置密码,mysql是必须有密码的,mongo可以没有)这些分组的内容全都是sql注入的语句,有可能不是yapi的问题,而是mongodb被写入了这些语句然后yapi读取后展示出来了而已。可以看下mongo的日志。
2q5ifsrm6#
跟mongodb没关系的,我们公司的运维封装的docker-compose启动的,mongodb对外根本没有端口暴露,更别说穿透公司防火墙了,就是从yapi服务本身的80端口入侵的,这个yapi的漏洞,随便人都可以注册,连个验证码都没有
q43xntqr7#
[cid:99257C51-A8B7-4E89-9C19-1996FAA94534] https://hellosean1025.github.io/yapi/devops/index.html#mongodb%e9%9b%86%e7%be%a4https://hellosean1025.github.io/yapi/devops/index.html#mongodb集群 在 2019年7月24日,16:02,ZhaoYu <notifications@github.commailto:notifications@github.com> 写道: 系统有bug,被人攻击了 版本号 ~ 1.7.0 什么问题 ~ [image]< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F20085825%2F61775871-5dfa7580-ae2c-11e9-8283-95f2c52e4a30.png&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731740614&sdata=sjBnLGESaQOWQZ%2B5jdpuGRFQ8Aa3KyGXpk9OUX5Wjoo%3D&reserved=0 > 如何复现此问题 ~ 什么浏览器 ~ 什么系统(Linux, Windows, macOS) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FYMFE%2Fyapi%2Fissues%2F1242%3Femail_source%3Dnotifications%26email_token%3DABAGQJ3WLMOTKH275U6EK63QBAECVA5CNFSM4IGNJ5E2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HBEHSAA&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731750619&sdata=jfLVW5vDO8APOJlbFAFxRMYWhB1hGyPP62Vqxtk3tN8%3D&reserved=0 >, or mute the thread< https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABAGQJ4KWAFJYKJKQ2RA3ALQBAECVANCNFSM4IGNJ5EQ&data=02%7C01%7C%7C3be914cfb08d462625e808d7100d53fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636995521731760629&sdata=hGpEZIHfCEvyXCI7LosYMkJB6pfBMj1oSYLamNwPk%2FA%3D&reserved=0 >.
wfsdck308#
yapi不建议开放到公网环境
ruoxqz4g9#
https://github.com/YMFE/yapi/blob/master/docs/devops/index.md#%E7%A6%81%E6%AD%A2%E6%B3%A8%E5%86%8C