$ git clone https://github.com/vulhub/vulhub.git
$ cd vulhub/yapi/mongodb-inj
$ ls
1.png config.json docker-compose.yml initdb.js poc.py README.md README.zh-cn.md
$ cat docker-compose.yml
version: '2'
services:
mongo:
image: mongo:5.0.6
environment:
MONGO_INITDB_ROOT_USERNAME: root
MONGO_INITDB_ROOT_PASSWORD: root
MONGO_INITDB_DATABASE: yapi
web:
image: vulhub/yapi:1.10.2
ports:
- "3000:3000"
volumes:
- ./config.json:/usr/config.json
- ./initdb.js:/usr/src/initdb.js
environment:
- MONGO_ADDR=mongo:27017
$ cat config.json
{
"port": "3000",
"adminAccount": "[email protected]",
"timeout": 120000,
"closeRegister": false,
"db": {
"servername": "mongo",
"DATABASE": "yapi",
"port": 27017,
"user": "root",
"pass": "root",
"authSource": "admin"
},
"mail": {
"enable": true,
"host": "smtp.163.com",
"port": 465,
"from": "***@163.com",
"auth": {
"user": "***@163.com",
"pass": "*****"
}
}
}
# root @ liuyuelong-System-Product-Name in ~/workspace/github/vulhub/yapi/mongodb-inj on git:master x [19:34:12]
$ cat initdb.js
const { MongoClient } = require("mongodb");
const url = `mongodb://root:root@${process.env.MONGO_ADDR}/?authSource=admin`;
MongoClient.connect(url, async function(err, client) {
const database = client.db("yapi");
const user = await database.collection("user").findOne();
const temp = await database.collection("project").findOne();
if (temp) {
console.log("database has already been initialized");
client.close();
return
}
const baseid = 66;
await database.collection("group").insertOne({
"_id": baseid,
"custom_field1": {
"enable": false
},
"type": "private",
"uid": user._id,
"group_name": "User-11",
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"members": [],
"__v": 0
});
await database.collection("project").insertOne({
"_id": baseid,
"switch_notice": true,
"is_mock_open": false,
"strice": false,
"is_json5": false,
"name": "vulhub",
"basepath": "",
"members": [],
"project_type": "private",
"uid": user._id,
"group_id": baseid,
"icon": "code-o",
"color": "purple",
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"env": [
{
"header": [],
"name": "local",
"domain": "http://127.0.0.1",
"global": []
}
],
"tag": [],
"__v": 0
});
await database.collection("interface_cat").insertOne({
"_id": baseid,
"index": 0,
"name": "公共分类",
"project_id": baseid,
"desc": "公共分类",
"uid": user._id,
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"__v": 0,
})
await database.collection("interface_col").insertOne({
"_id": baseid,
"checkResponseField": {
"name": "code",
"value": "0",
"enable": false
},
"checkScript": {
"enable": false
},
"index": 0,
"test_report": "{}",
"checkHttpCodeIs200": false,
"checkResponseSchema": false,
"name": "公共测试集",
"project_id": baseid,
"desc": "公共测试集",
"uid": user._id,
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"__v": 0,
})
await database.collection("interface").insertOne({
"_id": baseid,
"edit_uid": 0,
"status": "undone",
"type": "static",
"req_body_is_json_schema": false,
"res_body_is_json_schema": false,
"api_opened": false,
"index": 0,
"tag": [],
"method": "GET",
"catid": baseid,
"title": "sample",
"path": "/",
"project_id": baseid,
"req_params": [],
"res_body_type": "json",
"query_path": {
"path": "/",
"params": []
},
"uid": user._id,
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"req_query": [],
"req_headers": [],
"req_body_form": [],
"__v": 0,
})
await database.collection("interface_case").insertOne({
"_id": baseid,
"index": 0,
"mock_verify": false,
"enable_script": false,
"uid": 11,
"add_time": parseInt(Date.now()/1000),
"up_time": parseInt(Date.now()/1000),
"project_id": baseid,
"col_id": baseid,
"interface_id": baseid,
"casename": "sample",
"req_params": [],
"req_headers": [],
"req_query": [],
"req_body_form": [],
"__v": 0
})
await database.collection("token").insertOne({
"_id": baseid,
"project_id": baseid,
"token": "1cae15606ea4b223b01a",
"__v": 0,
})
await database.collection("identitycounters").updateMany({field: "_id"}, {$set: {count: baseid}})
console.log("finish database initialization");
client.close()
})
看看没有什么要改的,就把配置文件closeRegister设置成false,启动
$ docker-compose up -d
浏览器中输入:3000
默认账号名:“[email protected]”,
密码:“ymfe.org”