F5 BIG-IP TMUI Remote Code Execution

Repository contains a single Python proof-of-concept exploit script and a detailed README for CVE-2020-5902 (F5 BIG-IP TMUI). The exploit is a network-based, unauthenticated attack against the BIG-IP management interface (TMUI) leveraging a traversal sequence in the path (`/tmui/login.jsp/..;/...`) to reach internal JSP utilities. Structure/purpose: - `CVE-2020-5902.py`: Standalone Python3 CLI tool using `requests` with TLS verification disabled. Provides two exploit primitives: 1) `file_read(target, filepath)`: Sends a GET request to `.../workspace/fileRead.jsp?fileName=...` to retrieve arbitrary file contents. 2) `command_exec(target, cmd)`: Sends a GET request to `.../workspace/tmshCmd.jsp?command=...` with a URL-encoded tmsh command `run util bash -c '<cmd>'`, enabling arbitrary OS command execution (RCE). Prints response body as output. The script takes `--target`, `--mode {read,exec}`, and either `--file` or `--command`. - `README.md`: Explains impact, affected versions, and provides usage examples including reading `/etc/passwd` and `/config/bigip.conf`, and executing commands/reverse shell. Overall, this is an operational PoC exploit (not just detection) that can directly read files and execute commands on vulnerable F5 BIG-IP TMUI instances exposed over HTTP(S), typically on ports 443/8443.

This repository is a collection of Proof-of-Concept (POC) exploits for three critical vulnerabilities affecting F5 BIG-IP devices: CVE-2020-5902, CVE-2021-22986, and CVE-2022-1388. The code is written in Go and consists of four main files: one for each CVE and a main orchestrator (F5.go). The main entry point (F5.go) parses command-line arguments for the target URL and command to execute, then sequentially tests each vulnerability. - CVE-2020-5902 exploit attempts to read the /etc/passwd file via a crafted HTTP GET request, indicating a successful exploit if the file is retrieved. - CVE-2021-22986 and CVE-2022-1388 exploits send crafted HTTP POST requests to the /mgmt/tm/util/bash endpoint, attempting to execute arbitrary shell commands (default is 'id', but customizable via the -c flag). The repository is intended for authorized security research and includes a README with usage instructions and vulnerability descriptions. No hardcoded IPs or domains are present; the user must supply the target URL. The attack vector is network-based, targeting exposed F5 BIG-IP management interfaces over HTTPS.

This repository provides a Python exploit script (f5-bigip-rce-cve-2020-5902.py) targeting the F5 BIG-IP TMUI remote code execution vulnerability (CVE-2020-5902). The script supports both single and batch IP testing, and offers multiple exploitation features: checking for the vulnerability, reading and writing arbitrary files, listing authentication users, listing directories, executing arbitrary shell commands (RCE), and checking for hsqldb authentication bypass. The main exploit leverages HTTP requests with crafted paths to exploit path traversal and command injection vulnerabilities in the TMUI component. The repository includes a README with detailed usage instructions, a sample IP list (1-2-f5.txt), and result directories for batch operations. The exploit is operational and can be used to gain unauthorized access and execute commands on vulnerable F5 BIG-IP systems.

This repository contains a Python proof-of-concept exploit for CVE-2020-5902, a critical path traversal vulnerability in F5 BIG-IP devices. The main script, 'cve-2020-5902.py', allows an attacker to: - Check if a target URL is vulnerable by attempting to read /etc/passwd and looking for the 'root' user. - Read arbitrary files from the target system by specifying a file path. - Download multiple files in bulk from a list (provided in 'files.txt'). - Enumerate users and hostnames by reading /etc/passwd and /etc/hosts. - Scan a list of IPs/URLs to check for vulnerable hosts. The exploit works by sending crafted HTTP GET requests to a vulnerable endpoint on the target, exploiting the path traversal to access sensitive files. The repository includes a README with usage instructions, the main exploit script, and a sample file list ('files.txt') containing common Linux file paths to target. The exploit is a functional POC and does not include weaponized payloads beyond file reading capabilities.

This repository provides a working exploit for CVE-2020-5902, a critical unauthenticated remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI). The main exploit script, CVE-2020-5902.py, is a Python tool that chains several vulnerable endpoints in the TMUI web interface to achieve arbitrary command execution as root. The exploit works by abusing directory traversal in the URL to access internal JSP endpoints (tmshCmd.jsp, fileSave.jsp, fileRead.jsp, directoryList.jsp) that allow for command execution, file read/write, and directory listing. The script is interactive, allowing the user to specify arbitrary shell commands to execute on the target. The repository also includes Java source files that appear to be decompiled or reference implementations of the vulnerable endpoints, providing insight into the backend logic of the TMUI interface. The README.md provides detailed usage instructions, example requests, and references to related exploits and mitigations. The exploit is operational and can be used to fully compromise vulnerable F5 BIG-IP systems with exposed management interfaces.

This repository contains a Python exploit script (CVE-2020-5902.py) targeting the F5 Big-IP vulnerability CVE-2020-5902. The script allows an attacker to exploit the vulnerability in two ways: (1) Local File Read (LFR), which fetches arbitrary files from the target system, and (2) Remote Command Execution (RCE), which executes arbitrary commands on the target device. The script takes command-line arguments to specify the target host, exploit type, command to execute, and file to read. It constructs and sends crafted HTTPS requests to vulnerable endpoints on the F5 Big-IP management interface. The repository also includes a README.md with usage instructions and a requirements.txt listing dependencies (requests, urllib3). The exploit is operational and provides real attack capabilities against vulnerable F5 Big-IP devices.