漏洞描述
Nacos默认的7848端口是用于Nacos集群间Raft协议的通信,该端口的服务在处理部分Jraft请求时会使用Hessian进行反序列化
FOFA: "nacos cluster"
nacos-jraftserver-deserialization-rce: Nacos Jraft 远程代码执行 RCE
PoC代码[已公开]
id: nacos-jraftserver-deserialization-rce
info:
name: Nacos Jraft 远程代码执行 RCE
author: zan8in
severity: critical
verified: true
description: |
Nacos默认的7848端口是用于Nacos集群间Raft协议的通信,该端口的服务在处理部分Jraft请求时会使用Hessian进行反序列化
FOFA: "nacos cluster"
tags: nacos,cluster,rce
created: 2023/07/27
rules:
r0:
request:
method: GET
path: /nacos/v1/console/server/state
expression: |
response.status == 200 && response.body.bcontains(b'"standalone_mode":"cluster"') && "\"version\":\"2\\..*?\"".bmatches(response.body)
extractors:
- type: regex
extractor:
search: '"\"version\":\"(?P<nacos>.*?)\"".bsubmatch(response.body)'
nacos: search["nacos"]
r1:
request:
method: GET
path: /nacos/v1/console/server/state
expression: |
(versionCompare(string(nacos),">=","1.4.0") && versionCompare(string(nacos),"<","1.4.6")) ||
(versionCompare(string(nacos),">=","2.0.0") && versionCompare(string(nacos),"<","2.2.3"))
stop_if_match: true
r2:
request:
method: GET
path: /v1/console/server/state
expression: |
response.status == 200 && response.body.bcontains(b'"standalone_mode":"cluster"') && "\"version\":\"2\\..*?\"".bmatches(response.body)
extractors:
- type: regex
extractor:
search: '"\"version\":\"(?P<nacos2>.*?)\"".bsubmatch(response.body)'
nacos2: search["nacos2"]
r3:
request:
method: GET
path: /v1/console/server/state
expression: |
(versionCompare(string(nacos2),">=","1.4.0") && versionCompare(string(nacos2),"<","1.4.6")) ||
(versionCompare(string(nacos2),">=","2.0.0") && versionCompare(string(nacos2),"<","2.2.3"))
expression: (r0() && r1()) || (r2() && r3())