Aggregator

**漏洞简单描述：
Nacos是一套帮助发现、配置和管理微服务的程序。提供一组简单易用的特性集，能够快速的实现动态服务发现、服务配置、服务元数据以及流量管理。

2020年12月29日，Nacos官方在github发布的issue中披露Alibaba Nacos 存在一个由于不当处理User-Agent导致的未授权访问漏洞 。通过该漏洞，攻击者可以进行任意操作，包括创建新用户并进行登录后操作。

https://github.com/alibaba/nacos/issues/1105

在Nacos 2.0版本存在未授权访问漏洞，程序未有效对于用户权限进行判断，导致能够添加任意用户、修改任意用户密码等等问题。

危害等级：高危

影响范围 : Nacos <= 2.0.0-ALPHA.1

*1. 漏洞环境查找：

*2.然后使用google hackbar发送数据包：
POC：
http://IP:端口/nacos/v1/auth/users?pageNo=1&pageSize=9

4 个帖子 - 4 位参与者

阅读完整话题

GCSB Director-General Andrew Hampton opening statement to Intelligence and Security Committee on Monday 27 March 2023.

Playing around with Bing Chat is quite fun. Until today I mostly used ChatGPT and GPT-4 directly, but I was curious of the capabilites and restrictions of Bing Chat.

I noticed that as soon as I mentioned the word “hacker”, Bing Chat became quite “uncomfortable”. For instance, when I asked it to imagine being a hacker and list some security vulnerabilities, it replied:

So, how about we indirectly imply the intent, rather than stating it directly. So, I used a variation of a language manipulation technique like this: