VMware vCenter RCE Vulnerability Pitfalls Record — What Knowledge Can a Simple RCE Vulnerability Really Reveal
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
CNCF (Cloud Native Computing Foundation) mentions in its definition of cloud native that "representative technologies of cloud native include containers, service mesh, microservices, immutable infrastructure, and declarative APIs";
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
This video demonstrates how an unauthenticated attacker can access any user's files.
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts
Because 0xac9650d8 is the function signature of the multicall function, it will call the token-agreed multicall function, and the data value determined by the multicall function is 0x42966c68000000000000000000000000000000000000000c9112ec16d958e8da8180000760dc1e0 43d99394a10605b2fa08f123d60faf84
Penetrate backend permissions, database, server
Custom cracking of scripts for domestic and overseas sites and apps
Penetrate backend permissions, database, server
Custom cracking of scripts for domestic and overseas sites and apps
Email/Mailing Group Sender
Features:
1. Function Operation Area
1.1 Supports bulk import of emails to be sent
1.2 The software supports automatic saving of configurations, automatically loading them on next startup, and automatically recording progress
1.3 The software supports multi-threaded mass mailing (Note: do not change the number of threads if you have fewer than 10 sending accounts)
1.4 The software has two sending interfaces, supports SMTP and COOKIE sending, and can also randomly select which interface to use
1.5 Supports backtesting function to monitor in real-time whether the email content is blocked; supports multiple backtest mailboxes to prevent false testing
1.6 Supports pause, resume, and configuration modification during sending process
1.7 Customizable sending delay, i.e., sending speed
1.8 Each table supports right-click menu operations
1.9 Supports sending one email per mailbox or multiple emails per mailbox
1.10 Email content supports adding attachments
1.11 Email content supports adding random Chinese characters, random letters, random numbers, date, and time
1.12 "Pending Data Processing" button supports converting a single email into multiple emails for sending with one click, and supports one-click writing into the pending send list
Penetration of backend permissions, databases, servers
Custom cracking of domestic and overseas sites, apps, and scripts
Features:
1. Function Operation Area
1.1 Supports bulk import of emails to be sent
1.2 The software supports automatic saving of configurations, automatically loading them on next startup, and automatically recording progress
1.3 The software supports multi-threaded mass mailing (Note: do not change the number of threads if you have fewer than 10 sending accounts)
1.4 The software has two sending interfaces, supports SMTP and COOKIE sending, and can also randomly select which interface to use
1.5 Supports backtesting function to monitor in real-time whether the email content is blocked; supports multiple backtest mailboxes to prevent false testing
1.6 Supports pause, resume, and configuration modification during sending process
1.7 Customizable sending delay, i.e., sending speed
1.8 Each table supports right-click menu operations
1.9 Supports sending one email per mailbox or multiple emails per mailbox
1.10 Email content supports adding attachments
1.11 Email content supports adding random Chinese characters, random letters, random numbers, date, and time
1.12 "Pending Data Processing" button supports converting a single email into multiple emails for sending with one click, and supports one-click writing into the pending send list
Penetration of backend permissions, databases, servers
Custom cracking of domestic and overseas sites, apps, and scripts
The process of discovering and bypassing JDK native deserialization vulnerabilities
In a recent penetration project, a Jetty service was found through nmap scanning.
Using dirsearch, the /metrics/ path was found, but nothing further could be scanned.
Logged in via RDP with a Windows account provided by the client, found the service that opened this port, used Everything to find a zip installation package, dragged it back for installation and analysis.
Noticed an option to set a proxy during installation, set it to my burp address, waiting for possible surprises later.
After installation, added debugging parameters, then imported the dependent jar packages into IDEA for debugging. Selected some interesting breakpoints to start debugging.
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
In a recent penetration project, a Jetty service was found through nmap scanning.
Using dirsearch, the /metrics/ path was found, but nothing further could be scanned.
Logged in via RDP with a Windows account provided by the client, found the service that opened this port, used Everything to find a zip installation package, dragged it back for installation and analysis.
Noticed an option to set a proxy during installation, set it to my burp address, waiting for possible surprises later.
After installation, added debugging parameters, then imported the dependent jar packages into IDEA for debugging. Selected some interesting breakpoints to start debugging.
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
No forceString: Deserialization getter / JNDI injection setter?
By studying "Exploring JNDI Attacks" from @浅蓝 at the 2022 Beijing Cybersecurity Conference, I learned that although RCE cannot be achieved through forceString, there are still other methods to perform sensitive operations.
Penetrate backend permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
By studying "Exploring JNDI Attacks" from @浅蓝 at the 2022 Beijing Cybersecurity Conference, I learned that although RCE cannot be achieved through forceString, there are still other methods to perform sensitive operations.
Penetrate backend permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
The WordPress community recently experienced a serious security incident: a backdoor vulnerability was discovered in the LA-Studio Element Kit for Elementor plugin. This plugin is running on over 20,000 websites. The vulnerability, identified as CVE-2026-0920, has a CVSS score of 9.8 (Critical), allowing unauthorized attackers to immediately create an administrator account and thus gain complete control of the affected websites.
consult:@Mikelaotoo
咨询:@Mikelaotoo
consult:@Mikelaotoo
咨询:@Mikelaotoo