CVE-2022-22954 PoC — VMware 多款产品代码注入漏洞

Source

https://github.com/amit-pathak009/CVE-2022-22954

Associated Vulnerability

Title:VMware 多款产品代码注入漏洞 (CVE-2022-22954)
Description:VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Readme

## CVE-2022-22954 PoC
VMware Workspace ONE Access and Identity Manager RCE via SSTI. 

CVE-2022-22954 - PoC SSTI

Usage: 


```bash
CVE-2022-22954.py [-h] -m SET_MODE [-i IP] [-c CMD]
optional arguments:
  -h, --help            show this help message and exit
  -m SET_MODE, --mode SET_MODE
                        Available modes: shodan | file | manual
  -i IP, --ip IP        Host IP
  -c CMD, --cmd CMD     Command string
  ```
  ### Modes 
  - shodan: Retrieves IP list based on "http.favicon.hash:-1250474341" query 
  - file: Put your IP list in ips.txt 
  - manual: Pass IP and CMD arguments to -m manual mode 
  
  ### Disclaimer 
  This is just a PoC. Use it at wour own risk and not in production nor real  environments.  Don't ask me why the code is like this or if it's good or bad, I don't care. I'm not a cool programmer and my code is ugly. 

### Zoomeye CLI Dork:

```bash

zoomeye search 'iconhash:-1250474341'  -num 780  -filter=ip,port

zoomeye search 'banner:/SAAS/auth/login'  -num 900  -filter=ip,port
```

### Shodan CLI Dork:

```bash

shodan  search "http.favicon.hash:-1250474341" --fields=ip_str,port --separator ":" --limit 1000 | grep ''

shodan  search 'title:"Workspace ONE Access"' --fields=ip_str,port --separator ":" --limit 1000 | grep ''
```

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →