Nacos未授权 CVE-2021-29441

Nacos未授权 CVE-2021-29441

环境搭建

环境dockerfile在文末
环境启动

docker-compose up -d

image

查看下当前的容器

docker ps

image

漏洞复现

访问Web页面
127.0.0.1:8848
image
抓包,访问http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=2
将User-Agent的值修改为Nacos-Server,发送看下返回包
image
此时看到返回的响应为200,并且包含了当前的用户名nacos,密码为加盐加密之后的值
添加新用户qhoo360
image
此时用户添加成功
使用新建的账号(qhoo360)登录
image

环境文件

docker-compose.yml

version: "2"
services:
  nacos:
    image: nacos/nacos-server:1.4.0
    container_name: nacos-standalone-mysql
    env_file:
      - ./env/nacos-standlone-mysql.env
    volumes:
      - ./standalone-logs/:/home/nacos/logs
      - ./init.d/nacos.properties:/home/nacos/init.d/custom.properties
    ports:
      - "8848:8848"
      - "9848:9848"
      - "9555:9555"
    depends_on:
      - mysql
    restart: on-failure
  mysql:
    container_name: mysql
    image: nacos/nacos-mysql:5.7
    env_file:
      - ./env/mysql.env
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "3306:3306"

requirements.txt

requests==2.26.0

/init.d/nacos.properties

#spring.security.enabled=false
#management.security=false
#security.basic.enabled=false
#nacos.security.ignore.urls=/**
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for prometheus
management.endpoints.web.exposure.include=*
# metrics for elastic search
#management.metrics.export.elastic.enabled=false
#management.metrics.export.elastic.host=http://localhost:9200

# metrics for influx
#management.metrics.export.influx.enabled=false
#management.metrics.export.influx.db=springboot
#management.metrics.export.influx.uri=http://localhost:8086
#management.metrics.export.influx.auto-create-db=true
#management.metrics.export.influx.consistency=one
#management.metrics.export.influx.compressed=true

/env/mysql.env

MYSQL_ROOT_PASSWORD=root
MYSQL_DATABASE=nacos_devtest
MYSQL_USER=nacos
MYSQL_PASSWORD=nacos
NACOS_AUTH_ENABLE=true

/env/nacos-standlone-mysql.env

PREFER_HOST_MODE=hostname
MODE=standalone
SPRING_DATASOURCE_PLATFORM=mysql
MYSQL_SERVICE_HOST=mysql
MYSQL_SERVICE_DB_NAME=nacos_devtest
MYSQL_SERVICE_PORT=3306
MYSQL_SERVICE_USER=nacos
MYSQL_SERVICE_PASSWORD=nacos
MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false
NACOS_AUTH_ENABLE=true
posted @ 2023-12-21 15:23  LinkPoc  阅读(199)  评论(0编辑  收藏  举报