search

horizon3ai / vcenter_saml_login

A tool to extract the IdP cert from vCenter backups and log in as Administrator
MIT License
492 stars 91 forks source link

An error is reported when the script is running #14

Open Chinakentgao opened 2 years ago

Chinakentgao commented 2 years ago

root@kent:~/CVE-2021-22005-exp# python3 vcenter_saml_login.py -p data.mdb -t xxx.xx.xxx.xxx [] Successfully extracted the IdP certificate [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,CN=e4ed3720-803d-4d2e-bbd1-3b5221182357,CN=Ldus,CN=ComponentManager,DC=vsphere,DC=local [] Domain: vsphere.local [] Successfully extracted trusted certificate 1 [] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname vcenter.tech.zone for xxx.xx.xxx.xxx [] Initiating SAML request with xxx.xx.xxx.xxx [] Generating SAML assertion [] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [-] Failed logging in with SAML request Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 350, in c = login(args.target, s) File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 300, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect

xxx.xx.xxx.xxx Is an Internet IP

scopedsecurity commented 2 years ago

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, https://github.com/horizon3ai/vcenter_saml_login/pull/13, I believe it may address your issue.

Chinakentgao commented 2 years ago

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, #13, I believe it may address your issue.

Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter7.0.3_saml_login.py", line 354, in req, relaystate = saml_request(args.target) File "/root/CVE-2021-22005-exp/vcenter7.0.3_saml_login.py", line 246, in saml_request return etree.fromstring(req), parse_qs(o.query)["RelayState"][0] KeyError: 'RelayState'

scopedsecurity commented 2 years ago

Do you have any additional information about the version of vCenter running? Can you inspect the traffic of a normal login to ensure the requests parameters haven't changed for this version? If they have, you should be able to edit the request to include the necessary so it won't be redirected.

Chinakentgao commented 2 years ago

Do you have any additional information about the version of vCenter running? Can you inspect the traffic of a normal login to ensure the requests parameters haven't changed for this version? If they have, you should be able to edit the request to include the necessary so it won't be redirected.

I'm sorry, this is the test goal of a project I'm responsible for. The owner didn't provide me with any information about vCenter. Because I can't log in, the current information is basically not available

barrett092 commented 2 years ago

I am getting the 302 redirect error as well.

barrett092 commented 2 years ago

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, #13, I believe it may address your issue.

This worked :)