Nacos未授权 CVE-2021-29441

环境搭建

环境dockerfile在文末
环境启动

docker-compose up -d

查看下当前的容器

docker ps

漏洞复现

访问Web页面
127.0.0.1:8848

抓包，访问http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=2
将User-Agent的值修改为Nacos-Server，发送看下返回包

此时看到返回的响应为200，并且包含了当前的用户名nacos，密码为加盐加密之后的值
添加新用户qhoo360

此时用户添加成功

使用新建的账号(qhoo360)登录

环境文件

docker-compose.yml

version: "2"
services:
  nacos:
    image: nacos/nacos-server:1.4.0
    container_name: nacos-standalone-mysql
    env_file:
      - ./env/nacos-standlone-mysql.env
    volumes:
      - ./standalone-logs/:/home/nacos/logs
      - ./init.d/nacos.properties:/home/nacos/init.d/custom.properties
    ports:
      - "8848:8848"
      - "9848:9848"
      - "9555:9555"
    depends_on:
      - mysql
    restart: on-failure
  mysql:
    container_name: mysql
    image: nacos/nacos-mysql:5.7
    env_file:
      - ./env/mysql.env
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "3306:3306"

/init.d/nacos.properties

#spring.security.enabled=false
#management.security=false
#security.basic.enabled=false
#nacos.security.ignore.urls=/**
#management.metrics.export.elastic.host=http://localhost:9200
# metrics for prometheus
management.endpoints.web.exposure.include=*
# metrics for elastic search
#management.metrics.export.elastic.enabled=false
#management.metrics.export.elastic.host=http://localhost:9200

# metrics for influx
#management.metrics.export.influx.enabled=false
#management.metrics.export.influx.db=springboot
#management.metrics.export.influx.uri=http://localhost:8086
#management.metrics.export.influx.auto-create-db=true
#management.metrics.export.influx.consistency=one
#management.metrics.export.influx.compressed=true

requirements.txt

requests==2.26.0

/env/mysql.env

MYSQL_ROOT_PASSWORD=root
MYSQL_DATABASE=nacos_devtest
MYSQL_USER=nacos
MYSQL_PASSWORD=nacos
NACOS_AUTH_ENABLE=true

/env/nacos-standlone-mysql.env

PREFER_HOST_MODE=hostname
MODE=standalone
SPRING_DATASOURCE_PLATFORM=mysql
MYSQL_SERVICE_HOST=mysql
MYSQL_SERVICE_DB_NAME=nacos_devtest
MYSQL_SERVICE_PORT=3306
MYSQL_SERVICE_USER=nacos
MYSQL_SERVICE_PASSWORD=nacos
MYSQL_SERVICE_DB_PARAM=characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true&useSSL=false
NACOS_AUTH_ENABLE=true

本栏目推荐文章
• 2021-2022 ICPC Northwestern European Regional Programming Contest (NWERC 2021)
• OFBiz RCE漏洞复现（CVE-2023-51467）
• CVE-2023-34050 Spring AMQP Deserialization Vulnerability
• CVE-2020-11800
• NACOS安装
• 2020-2021 ACM-ICPC, Asia Seoul Regional Contest
• 2021 Jiangsu Collegiate Programming Contest
• nacos开启鉴权配置
• Docker安装nacos（配置文件映射）
• nacos for k8s

Nacos 29441 2021 CVEnacos 29441 2021 cve laravel 2021 3129 cve apache-cve apache 41773 2021 gitlab 22205 2021 cve 2021漏洞cve qemu 29441 2021 cve amp命令 漏洞27239 2021 cve cve apache-cve