alibaba nacos

220 篇文章 7 订阅
213 篇文章 3 订阅

下载地址:

  • https://github.com/alibaba/nacos/releases/download/2.0.0-ALPHA.1/nacos-server-2.0.0-ALPHA.1.zip

漏洞参考:

  • https://github.com/alibaba/nacos/issues/4593
  • https://github.com/alibaba/nacos/blob/3d97e36785f099ea99d559fae91e9d80a3b0c320/core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java#L78
  • https://github.com/alibaba/nacos/blob/3d97e36785f099ea99d559fae91e9d80a3b0c320/sys/src/main/java/com/alibaba/nacos/sys/env/Constants.java#L63

安装启动方法:

cd nacos\bin
.\startup.cmd -m standalone

启动输出:

PS C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\bin> .\startup.cmd -m standalone
"nacos is starting with standalone"

         ,--.
       ,--.'|
   ,--,:  : |                                           Nacos 2.0.0-ALPHA.1
,`--.'`|  ' :                       ,---.               Running in stand alone mode, All function modules
|   :  :  | |                      '   ,'\   .--.--.    Port: 8848
:   |   \ | :  ,--.--.     ,---.  /   /   | /  /    '   Pid: 4132
|   : '  '; | /       \   /     \.   ; ,. :|  :  /`./   Console: http://192.168.150.1:8848/nacos/index.html
'   ' ;.    ;.--.  .-. | /    / ''   | |: :|  :  ;_
|   | | \   | \__\/: . ..    ' / '   | .; : \  \    `.      https://nacos.io
'   : |  ; .' ," .--.; |'   ; :__|   :    |  `----.   \
|   | '`--'  /  /  ,.  |'   | '.'|\   \  /  /  /`--'  /
'   : |     ;  :   .'   \   :    : `----'  '--'.     /
;   |.'     |  ,     .-./\   \  /            `--'---'
'---'        `--`---'     `----'

2020-12-31 11:23:02,647 INFO Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@66c61024' of type [org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

2020-12-31 11:23:02,653 INFO Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

2020-12-31 11:23:04,338 INFO Tomcat initialized with port(s): 8848 (http)

2020-12-31 11:23:05,372 INFO Root WebApplicationContext: initialization completed in 9221 ms

2020-12-31 11:23:18,819 INFO Initializing ExecutorService 'applicationTaskExecutor'

2020-12-31 11:23:18,932 INFO Adding welcome page: class path resource [static/index.html]

2020-12-31 11:23:19,576 INFO Creating filter chain: Ant [pattern='/**'], []

2020-12-31 11:23:19,622 INFO Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@701a32, org.springframework.security.web.context.SecurityContextPersistenceFilter@a8a8b75, org.springframework.security.web.header.HeaderWriterFilter@412c995d, org.springframework.security.web.csrf.CsrfFilter@6b9c69a9, org.springframework.security.web.authentication.logout.LogoutFilter@51e37590, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@72be135f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e647e59, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@39aa45a1, org.springframework.security.web.session.SessionManagementFilter@4dd94a58, org.springframework.security.web.access.ExceptionTranslationFilter@30b9eadd]

2020-12-31 11:23:19,858 INFO Initializing ExecutorService 'taskScheduler'

2020-12-31 11:23:19,878 INFO Exposing 16 endpoint(s) beneath base path '/actuator'

2020-12-31 11:23:20,012 INFO Tomcat started on port(s): 8848 (http) with context path '/nacos'

2020-12-31 11:23:20,016 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\logs

2020-12-31 11:23:20,016 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\conf

2020-12-31 11:23:20,017 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\data

2020-12-31 11:23:20,017 INFO Nacos started successfully in stand alone mode. use embedded storage

登录之后是这样的:
在这里插入图片描述

application.properties默认为false,即未开启鉴权,
在这里插入图片描述
默认可以查看用户名密码,添加用户
在这里插入图片描述
在这里插入图片描述
且添加的新用户可以直接登录:
在这里插入图片描述

手动修改为true之后,重新启动,
变成了403:
在这里插入图片描述

加上这个Header之后,

User-Agent: Nacos-Server

在这里插入图片描述
就绕过了认证。
在这里插入图片描述
在这里插入图片描述

skywalking参考:

  • http://www.itmuch.com/skywalking/dynamic-configuration/
  • https://skyapm.github.io/document-cn-translation-of-skywalking/zh/8.0.0/setup/backend/dynamic-config.html
  • https://github.com/apache/skywalking/pull/6098/commits/2f72539f7b57c9b3cf6870e5b6f6972783413900
  • https://github.com/apache/skywalking/pull/6098/files
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值