Penetration Basics: Minio Version Detection
0x00 Preface
This article will introduce methods for Minio version detection, implement automation via Python, record development details, and open-source the code.
0x01 Introduction
This article will cover the following content:
Implementation Ideas
Implementation Details
Open-Source Code
0x02 Basic Knowledge
MinIO is a high-performance, distributed object storage system developed in the Go language. MinIO can be used as a cloud storage solution to store massive amounts of images, videos, and documents. Since it is implemented in Go, the server can run on Windows, Linux, OS X, and FreeBSD, and only requires a single executable file to run.
For environment setup on Windows, refer to: https://min.io/docs/minio/windows/index.html
1. Download
Latest version: https://dl.min.io/server/minio/release/windows-amd64/minio.exe
Historical versions: https://dl.min.io/server/minio/release/windows-amd64/archive/
After downloading a historical version, add the .exe file extension and run it directly.
2. Start the service
Command line parameters: minio.exe server C:\\minio --console-address :9090
3. Web access
URL address: http://127.0.0.1:9090
Default username: minioadmin
Default password: minioadmin
0x03 Implementation Approach
Minio version detection requires logging into the Web backend
Access location: Health page, as shown in the figure below
From the page, you can see the current version as well as node and storage information
In program implementation, we can analyze the authentication process by packet capture, and the details are as follows:
1. Login
Access address: http://127.0.0.1:9090/api/v1/login
Pass the authentication information in JSON format, and the details are as follows:
After successful login, return status code 204, and add Cookie: token=xxxx in the Header as credentials
2. Read version information
Access address: http://127.0.0.1:9090/api/v1/admin/info
Requires Cookie: token=xxxx as credentials
The return result is in JSON format, as shown in the figure below
Supplement: Get the latest version of Minio
Access address: http://127.0.0.1:9090/api/v1/check-version
0x04 Implementation details
1. Log in
A problem needs to be considered here: the case where the default port is modified
When implementing automation with a program, port 9000 is usually used, but there are cases where the port is modified to 9001, and a small number of cases where it is modified to other uncommon ports
If the port is incorrect, it will return status code 400, example of return content:
Therefore, in program implementation, a check can be added here: when using the default port 9000, if a specific condition is returned, prompt a port error, then try port 9001, and if it fails again, prompt to modify the default port
Complete example code:
2. Read version information
The return result is in JSON format, example result:
There are multiple servers here, so traversal is needed during parsing. The sample code is as follows:
0x05 Open Source Code
The complete implementation code has been uploaded to GitHub, and the address is as follows: https://github.com/3gstudent/Homework-of-Python/blob/master/MinIO_GetVersion.py
The code supports the following two commands:
getversin: used to obtain version information
getinfo: used to obtain complete information
0x06 Summary
This article introduces the method of MinIO version detection, and combined with real-world environments, it explains the details of Python-based development and provides the open source code.