clickhouse-unauth: ClickHouse - Unauthorized Access

日期: 2025-08-01 | 影响软件: ClickHouse | POC: 已公开

漏洞描述

ClickHouse was able to be accessed with no required authentication in place.

PoC代码[已公开]

id: clickhouse-unauth

info:
  name: ClickHouse - Unauthorized Access
  author: lu4nx
  severity: high
  description: ClickHouse was able to be accessed with no required authentication in place.
  metadata:
    max-request: 1
  tags: network,clickhouse,unauth,misconfig,tcp,vuln

tcp:
  - inputs:
      # 0011436c69636b486f75736520636c69656e741508b1a9030007 is header
      # 64656661756c74 = default
      - data: 0011436c69636b486f75736520636c69656e741508b1a903000764656661756c7400
        type: hex

    host:
      - "{{Hostname}}"
    port: 9000

    read-size: 100
    matchers:
      - type: word
        words:
          - "ClickHouse"
          - "UTC"
        condition: and
# digest: 480a00453043021f4236d9c3471c4370e1f6edfb9897b008f84d589616b8660efea989e38e680102206b2bdc3a6262c766a2adf2e87fb49a1a2ae75e5222db31abf13a81592ec553c8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/misconfig/clickhouse-unauth.yaml

相关漏洞推荐