Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/F5 TMUI Exploitation CVE-2023-46747.md

Last active November 2, 2023 15:59
Show Gist options
  • Save MHaggis/dd30e648b1a5ffe581e228e01f798b1c to your computer and use it in GitHub Desktop.
Save MHaggis/dd30e648b1a5ffe581e228e01f798b1c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
F5 TMUI Exploitation CVE-2023-46747.md

my fav one:

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*" 
    by Web.url, Web.dest, Web.src, Web.http_method, Web.status 
| `drop_dm_object_name("Web")`
| search http_method=* AND status=* 
| eval score=if(match(url, "/tmui/system/user/create(/jsp)?"), 5, 
          if(match(url, "/tmui/system/user/list(/jsp)?"), 5, 
          if(match(url, "mgmt/tm/util/bash") AND match(http_method, "POST"), 5, 
          if(match(url, "/tmui/login.jsp"), 5, 
          if(match(url, "/mgmt/shared/authn/login"), 5, 
          if(match(url, "/mgmt/tm/util/bash") AND NOT match(http_method, "POST"), 5, 0)))))) 
| stats sum(score) as Score, values(url) as URLs, count, values(http_method) as http_methods, values(status) as statuses by src, dest
| where Score > 20
| sort - Score

| from datamodel Web.Web 
| eval createUser=if(match(Web.url, "/tmui/system/user/create(/jsp)?"),5,0) 
| eval deleteUser=if(match(Web.url, "/tmui/system/user/list(/jsp)?"),5,0) 
| eval exploitExecution=if(match(Web.url, "mgmt/tm/util/bash") AND match(Web.url, "normalize_uri"),5,0) 
| eval loginBypassExploit=if(match(Web.url, "/tmui/login.jsp"),5,0) 
| eval passwordChange=if(match(Web.url, "/mgmt/tm/auth/user/[A-Fa-f0-9]+"),5,0) 
| eval authLogin=if(match(Web.url, "/mgmt/shared/authn/login"),5,0) 
| eval commandExecution=if(match(Web.url, "/mgmt/tm/util/bash") AND NOT match(Web.url, "normalize_uri"),5,0) 
| addtotals fieldname=Score, createUser, deleteUser, exploitExecution, loginBypassExploit, passwordChange, authLogin, commandExecution 
| where Score > 20 
| stats values(Score) by createUser, deleteUser, exploitExecution, loginBypassExploit, passwordChange, authLogin, commandExecution, dest, src, http_method, _raw

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*" 
    by Web.url, Web.dest, Web.src, Web.http_method, Web.status 
| `drop_dm_object_name("Web")`
| eval score=if(match(url, "/tmui/system/user/create(/jsp)?"), 5, 0) +
              if(match(url, "/tmui/system/user/list(/jsp)?"), 5, 0) +
              if(match(url, "mgmt/tm/util/bash") AND match(url, "normalize_uri"), 5, 0) +
              if(match(url, "/tmui/login.jsp"), 5, 0) +
              if(match(url, "/mgmt/tm/auth/user/[A-Fa-f0-9]+"), 5, 0) +
              if(match(url, "/mgmt/shared/authn/login"), 5, 0) +
              if(match(url, "/mgmt/tm/util/bash") AND NOT match(url, "normalize_uri"), 5, 0)
| where score > 0
| stats sum(score) as Score, values(url) as URLs, count by src, dest, http_method, status
| where Score > 20
| sort - Score


| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*" 
    by Web.url, Web.dest, Web.src, Web.http_method, Web.status 
| `drop_dm_object_name("Web")`
| eval score=if(match(url, "/tmui/system/user/create(/jsp)?"), 5, 0) +
              if(match(url, "/tmui/system/user/list(/jsp)?"), 5, 0) +
              if(match(url, "mgmt/tm/util/bash") AND match(url, "normalize_uri"), 5, 0) +
              if(match(url, "/tmui/login.jsp"), 5, 0) +
              if(match(url, "/mgmt/tm/auth/user/[A-Fa-f0-9]+"), 5, 0) +
              if(match(url, "/mgmt/shared/authn/login"), 5, 0) +
              if(match(url, "/mgmt/tm/util/bash") AND NOT match(url, "normalize_uri"), 5, 0)
| where score > 0
| stats sum(score) as Score, values(url) as URLs, count by src, dest, http_method, status
| where Score > 20
| sort - Score

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*" 
    by Web.url, Web.dest, Web.src, Web.http_method 
| `drop_dm_object_name("Web")`
| eval score=if(match(url, "/tmui/system/user/create(/jsp)?"), 5, 0) +
              if(match(url, "/tmui/system/user/list(/jsp)?"), 5, 0) +
              if(match(url, "mgmt/tm/util/bash") AND match(url, "normalize_uri"), 5, 0) +
              if(match(url, "/tmui/login.jsp"), 5, 0) +
              if(match(url, "/mgmt/tm/auth/user/[A-Fa-f0-9]+"), 5, 0) +
              if(match(url, "/mgmt/shared/authn/login"), 5, 0) +
              if(match(url, "/mgmt/tm/util/bash") AND NOT match(url, "normalize_uri"), 5, 0)
| where score > 0
| stats sum(score) as Score, values(url) as URLs, count by src
| where Score > 20
| sort - Score
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment