带回显版本的漏洞利用脚本

Last update: Nov 09, 2022

Overview

CVE-2021-21978

带回显版本的漏洞利用脚本，更简单的方式

0. 漏洞信息

VMware View Planner Web管理界面存在一个上传日志功能文件的入口，没有进行认证且写入的日志文件路径用户可控，通过覆盖上传日志功能文件log_upload_wsgi.py，即可实现RCE

漏洞代码：

def application(environ, start_response):
    logger.debug("application called")

    if environ['REQUEST_METHOD'] == 'POST':
        post = cgi.FieldStorage(
            fp=environ['wsgi.input'],
            environ=environ,
            keep_blank_values=True
        )

        # TO DO: Puth path in some config or read from config is already available
        resultBasePath = "/etc/httpd/html/vpresults"
        try:
            filedata = post["logfile"]
            metaData = post["logMetaData"]

            if metaData.value:
                logFileJson = LogFileJson.from_json(metaData.value)

            if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
                os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))

            if filedata.file:
                if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
                else:
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
                with open(filePath, 'wb') as output_file:
                    while True:
                        data = filedata.file.read(1024)
                        # End of file
                        if not data:
                            break
                        output_file.write(data)

1. 依赖

pip install requests

2. 检测

git clone https://github.com/skytina/CVE-2021-21978
cd CVE-2021-21978
python3 CVE-2021-21978.py https://192.168.80.3/

3. 漏洞利用

漏洞利用脚本会重写log_upload_wsgi.py，让它成为一个后门

4. 参考链接

漏洞利用来源：https://twitter.com/osama_hroot/status/1367258907601698816

VMware官方公告: https://www.vmware.com/security/advisories/VMSA-2021-0003.html

声明

工具仅用于安全人员安全测试与研究使用，任何未授权检测造成的直接或者间接的后果及损失，均由使用者本人负责。
The tool is only used for security testing and research by security personnel. Any direct or indirect consequences and losses caused by unauthorized testing are the responsibility of the user.

如果觉得上面的内容有帮助的话，可以关注一下公众号

带回显版本的漏洞利用脚本

Related tags

Overview

CVE-2021-21978

0. 漏洞信息

1. 依赖

2. 检测

3. 漏洞利用

4. 参考链接

声明

Owner

3ky7in4

A terminal based web shell controller

An IDA pro python script to decrypt Qbot malware string

Salesforce Recon and Exploitation Toolkit

GRR Rapid Response: remote live forensics for incident response

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

Python APK Reverser & Patcher Tool

ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

Ini membuat tema berbasis bendera Indonesia with Python + Linux.py

Having a weak password is not good for a system that demands high confidentiality and security of user credentials

这次是可可萝病毒！

A collection of intelligence about Log4Shell and its exploitation activity

🍉一款基于Python-Django的多功能Web安全渗透测试工具，包含漏洞扫描，端口扫描，指纹识别，目录扫描，旁站扫描，域名扫描等功能。

解密哥斯拉webshell管理工具流量

Dumps the payload.bin image found in Android update images.

👑 Discovery Header DoD Bug-Bounty

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

compact and speedy hash cracker for md5, sha1, and sha256 hashes

Python Password Generator

IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).