关联漏洞
标题:
合勤科技 USG FLEX 操作系统命令注入漏洞
(CVE-2022-30525)
描述:Zyxel USG FLEX是中国合勤科技(Zyxel)公司的一款防火墙。提供灵活的 VPN 选项(IPsec、SSL 或 L2TP),为远程工作和管理提供灵活的安全远程访问。 合勤科技 USG FLEX 5.00版本至5.21版本、存在安全漏洞。攻击者利用该漏洞修改特定文件,在易受攻击的设备上执行一些操作系统命令。
介绍
# CVE-2022-30525_check
Description:
This script checks for the presence of the OS command injection vulnerability (CVE-2022-30525) in Zyxel USG FLEX devices running firmware versions 5.00 through 5.21 Patch 1. The vulnerability allows an attacker to modify specific files and execute OS commands on a vulnerable device.
Instructions for use:
- Ensure that Python 3 is installed on your system
- Download the script and save it to your local machine
- Open a command prompt or terminal window and navigate to the directory where the script is saved
- Run the script with the following command: "python CVE-2022-30525.py -t [TARGET_URL]"
- Replace [TARGET_URL] with the URL of the Zyxel USG FLEX device you wish to check
- The script will check the device for the vulnerability and print the result to the console.
Note:
- Make sure the device is reachable and you have the correct URL
Script will check for the vulnerability by sending a specific request with headers, it will check if the request get a 200 status code and if the headers contain a specific string, if not it will be considered safe.
文件快照
[4.0K] /data/pocs/08bd303a8a6a99715301530c59cdd6a9926f9192
├── [1.1K] CVE-2022-30525_check.py
├── [ 34K] LICENSE
└── [1.1K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。