Nacos Hessian反序列化漏洞

admin 2024年2月15日18:00:57评论25 views字数 2337阅读7分47秒阅读模式

Nacos Hessian反序列化漏洞

1

漏洞描述

Nacos Hessian反序列化漏洞
Nacos在处理某些基于Jraft的请求时,采用Hessian进行反序列化,但并未设置限制,导致应用存在远程代码执行(RCE)漏洞。

2

漏洞复现

Nacos Hessian反序列化漏洞

步骤一:在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#FOFA搜索语法protocol="nacos(http)"

步骤二:开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....在响应数据包的正文中返回内容包含"version":"2.0.3"的json数据。

GET /nacos/v1/console/server/state HTTP/1.1Host: ipCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9If-Modified-Since: Wed, 28 Jul 2021 11:28:45 GMTConnection: close

步骤三:开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....无返回数据包。

GET / HTTP/1.1Host: ipCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9If-Modified-Since: Wed, 28 Jul 2021 11:28:45 GMTConnection: close

步骤四:使用NacosRce工具进行命令执行,得到结果。

3

nuclei脚本

Nacos Hessian反序列化漏洞
id: nacos-jraft-hessian-rceinfo:  name: nacos-jraft-hessian-rce  author: sm  severity: critical  tags: nacos,rce,Hessian,nacos-rce  description: Nacos在处理某些基于Jraft的请求时,采用Hessian进行反序列化,但并未设置限制,导致应用存在远程代码执行(RCE)漏洞  metadata:     fofa-query: "protocol="nacos(http)""    verified: true  reference: https://mp.weixin.qq.com/s/FUBdfMugEd-5k-CGyLbuJwtcp:  - inputs:    host:      - "{{Host}}:7848"    matchers:      - type: word        words:          - ""
id: nacos-jraftserver-deserialization-rceinfo:  name: Nacos - jraftserver deserialization Remote Code Execution  author: unknown  severity: critical  description: Nacos uses Hessian for deserialization when processing certain Jraft based requests, but no restrictions are set, resulting in remote code execution (RCE) vulnerabilities in the application.   reference: https://stack.chaitin.com/techblog/detail?id=106  tags: nacos,rce,nacos-rce  metadata:    max-request: 1http:  - method: GET    path:      - "{{BaseURL}}/nacos/v1/console/server/state"      - "{{BaseURL}}/v1/console/server/state"    matchers-condition: or    matchers:      - type: word        words:          - '"standalone_mode":"cluster"'        part: body      - type: regex        regex:          - '"version":"2..*?"'        part: body

4

nacos集成脚本推荐

Nacos Hessian反序列化漏洞
https://github.com/charonlight/NacosExploitGUI

原文始发于微信公众号(揽月安全团队):Nacos Hessian反序列化漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月15日18:00:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Nacos Hessian反序列化漏洞http://cn-sec.com/archives/2190139.html

发表评论

匿名网友 填写信息