Apache 1.3.28
tcp/443 tcp/8080
OpenSSL 0.9.8d
tcp/443 tcp/8080
mod_ssl 2.8.15
tcp/443 tcp/8080
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99bfcf50f3cb1b66c21b1b66c21b1b66c21b1b66c21
Found HiSiliconDVR firmware: Hardware: General NBD7816T-F Vulnerable to multiple issues : LFI, possibly RCE
Open service 114.34.252.1:5000
2024-04-28 18:48
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rOpera.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rChrome.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rSafari.exec(ua); if (match != null) { return { browser : match[2] || "", version : match[1] || "0" }; } if (match != null) { return { browser : "", version : "0" }; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; if (ipaddress == "") { // ipaddress = "10.10.48.46"; // ipaddress = "10.2.2.88"; } var hostport=34567; var iLanguage=102; var numLanguage; var DownLoadAddr=""; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var g_bQS=false; var g_bClose=false; var gHashCookie = new Hash.Cookie('NetSuveillanceWebCookie',{duration: 30}); var settings = { username:'', ocxlanguage:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//��
Open service 114.34.252.1:5000
2024-04-26 05:12
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rOpera.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rChrome.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rSafari.exec(ua); if (match != null) { return { browser : match[2] || "", version : match[1] || "0" }; } if (match != null) { return { browser : "", version : "0" }; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; if (ipaddress == "") { // ipaddress = "10.10.48.46"; // ipaddress = "10.2.2.88"; } var hostport=34567; var iLanguage=102; var numLanguage; var DownLoadAddr=""; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var g_bQS=false; var g_bClose=false; var gHashCookie = new Hash.Cookie('NetSuveillanceWebCookie',{duration: 30}); var settings = { username:'', ocxlanguage:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//��
Open service 114.34.252.1:443
2024-04-26 04:52
HTTP/1.1 400 Bad Request Date: Fri, 26 Apr 2024 04:52:14 GMT Server: Apache/1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.8d Connection: close Content-Type: text/html; charset=iso-8859-1 Page title: 400 Bad Request <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR> Instead use the HTTPS scheme to access this URL, please.<BR> <BLOCKQUOTE>Hint: <A HREF="https://114.34.252.1:443/"><B>https://114.34.252.1:443/</B></A></BLOCKQUOTE><P> <HR> <ADDRESS>Apache/1.3.28 Server at <A HREF="mailto:root@SMB">114.34.252.1</A> Port 443</ADDRESS> </BODY></HTML>
Open service 114.34.252.1:8080
2024-04-25 11:07
HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 11:07:47 GMT Server: Apache/1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.8d Connection: close Transfer-Encoding: chunked Content-Type: text/html Page title: QNO <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title>QNO</title> <script src="/sslvpn_content.js"></script> <script src="/nk.js"></script> <script src="/StrArray.js"></script> <script src="/menu.js"></script> <style type="text/css"> .BGbody1 { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; background-color: #94D429; } .BGbody2 { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } .CopyrightFont { font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #FFFFFF; } form { margin: 0px; padding: 0px; } .Font9 { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; } .Font9 input { height: 26px; width: 274px; border: 1px solid #C2C2C2; background-color: #F4F4F4; font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; padding-top: 5px; padding-right: 4px; padding-left: 4px; } .Font9 select { font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; width: 150px; border: 1px solid #C2C2C2; } .Font9_white { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; color: #FFFFFF; } .Font12 { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 16px; color: #000000; line-height: 24px; } .Font12 input { height: 26px; width: 274px; border: 1px solid #C2C2C2; background-color: #F4F4F4; font-family: Arial, Helvetica, sans-serif; font-size: 15px; color: #000000; padding-top: 3px; padding-right: 4px; padding-left: 4px; } .Font12 select { font-family: Arial, Helvetica, sans-serif; font-size: 15px; color: #000000; width: 150px; border: 1px solid #C2C2C2; } #softkeyboard { padding-top:35px; padding-bottom:20px; } #softkeyboard2 { padding-top:35px; padding-bottom:20px; } .bbcenter{background-color:#F79B21;filter:progid:DXImageTransform.Microsoft.Gradient(GradientType=0,startColorstr=#ffF79B21, endColorstr=#ffE56B03);border: 1px solid #123f65;margin:2px;height:33px;vertical-align:center;} .bbcenteron{background-color:#f2b93F;filter:progid:DXImageTransform.Microsoft.Gradient(GradientType=0,startColorstr=#fff2b93F, endColorstr=#ffe97408);border: 1px solid #123f65;margin:2px;height:33px;vertical-align:center; cursor:hand;} .bbuttons{Font-size:16px;font-family:Verdana,Lucida Sans,Tahoma, sans-serif,Arial;text-align:center;font-weight: bold;margin:1px;color:#ffffff;backgr-ound-color:transparent;border-width:0px;padding:0px;cursor:hand;} </style> <script src="/QNOVirtual_Keyboard.js"></script> <script type="text/JavaScript"> var imgLogin0 = new Array("login_bt_on.gif","", "login_bt_on_cn.gif", "login_bt_on_tw.gif"); var imgLogin1 = new Array("login_bt_over.gif","", "login_bt_over_cn.gif", "login_bt_over_tw.gif"); function Entryfunction() { CheckAccount(); } function CheckAccount() { if(((window.location.href).split('err='))[1] == 'Login_Fail') alert(aAccountMsg); } // get parameter from url when refresh. add by lucy.jiang 20091021 function request(paras){ var url = location.href; var paraString = url.substring(url.indexOf("?")+1,url.length).split("&"); var paraObj = {} for (i=0; i<paraString.length; i++){ j=paraString[i]; paraObj[j.substring(0,j.indexOf("=")).toLowerCase()] = j.substring(j.indexOf("=")+1,j.length); } var returnValue = paraObj[paras.toLowerCase()]; if(typeof(returnValue)=="undefined"){ return ""; }else{ return returnValue; } } function SendPassword() { window.status="Login..."; document.form_contents.submit(); } softkeyboard.style.backgroundImage="url(/images/background.png)"; softkeyboard2.style.backgroundImage="url(/images/background.png)"; initCalc(); var keyborad = null; var temp_password=null; var browser_type=0; var hideflag=true; if (navigator.appName=='Netscape') browser_type=1; if (document.all) browser_type=2; function InitBG() { if(document.getElementById('background_enable').value == "1" ) { var bgobj1=document.getElementById('Background_pattern'); if( bgobj1 )
Open service 114.34.252.1:8080
2024-04-23 17:45
HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 17:45:38 GMT Server: Apache/1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.8d Connection: close Transfer-Encoding: chunked Content-Type: text/html Page title: QNO <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title>QNO</title> <script src="/sslvpn_content.js"></script> <script src="/nk.js"></script> <script src="/StrArray.js"></script> <script src="/menu.js"></script> <style type="text/css"> .BGbody1 { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; background-color: #94D429; } .BGbody2 { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } .CopyrightFont { font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #FFFFFF; } form { margin: 0px; padding: 0px; } .Font9 { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; } .Font9 input { height: 26px; width: 274px; border: 1px solid #C2C2C2; background-color: #F4F4F4; font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; padding-top: 5px; padding-right: 4px; padding-left: 4px; } .Font9 select { font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: #000000; width: 150px; border: 1px solid #C2C2C2; } .Font9_white { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; color: #FFFFFF; } .Font12 { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 16px; color: #000000; line-height: 24px; } .Font12 input { height: 26px; width: 274px; border: 1px solid #C2C2C2; background-color: #F4F4F4; font-family: Arial, Helvetica, sans-serif; font-size: 15px; color: #000000; padding-top: 3px; padding-right: 4px; padding-left: 4px; } .Font12 select { font-family: Arial, Helvetica, sans-serif; font-size: 15px; color: #000000; width: 150px; border: 1px solid #C2C2C2; } #softkeyboard { padding-top:35px; padding-bottom:20px; } #softkeyboard2 { padding-top:35px; padding-bottom:20px; } .bbcenter{background-color:#F79B21;filter:progid:DXImageTransform.Microsoft.Gradient(GradientType=0,startColorstr=#ffF79B21, endColorstr=#ffE56B03);border: 1px solid #123f65;margin:2px;height:33px;vertical-align:center;} .bbcenteron{background-color:#f2b93F;filter:progid:DXImageTransform.Microsoft.Gradient(GradientType=0,startColorstr=#fff2b93F, endColorstr=#ffe97408);border: 1px solid #123f65;margin:2px;height:33px;vertical-align:center; cursor:hand;} .bbuttons{Font-size:16px;font-family:Verdana,Lucida Sans,Tahoma, sans-serif,Arial;text-align:center;font-weight: bold;margin:1px;color:#ffffff;backgr-ound-color:transparent;border-width:0px;padding:0px;cursor:hand;} </style> <script src="/QNOVirtual_Keyboard.js"></script> <script type="text/JavaScript"> var imgLogin0 = new Array("login_bt_on.gif","", "login_bt_on_cn.gif", "login_bt_on_tw.gif"); var imgLogin1 = new Array("login_bt_over.gif","", "login_bt_over_cn.gif", "login_bt_over_tw.gif"); function Entryfunction() { CheckAccount(); } function CheckAccount() { if(((window.location.href).split('err='))[1] == 'Login_Fail') alert(aAccountMsg); } // get parameter from url when refresh. add by lucy.jiang 20091021 function request(paras){ var url = location.href; var paraString = url.substring(url.indexOf("?")+1,url.length).split("&"); var paraObj = {} for (i=0; i<paraString.length; i++){ j=paraString[i]; paraObj[j.substring(0,j.indexOf("=")).toLowerCase()] = j.substring(j.indexOf("=")+1,j.length); } var returnValue = paraObj[paras.toLowerCase()]; if(typeof(returnValue)=="undefined"){ return ""; }else{ return returnValue; } } function SendPassword() { window.status="Login..."; document.form_contents.submit(); } softkeyboard.style.backgroundImage="url(/images/background.png)"; softkeyboard2.style.backgroundImage="url(/images/background.png)"; initCalc(); var keyborad = null; var temp_password=null; var browser_type=0; var hideflag=true; if (navigator.appName=='Netscape') browser_type=1; if (document.all) browser_type=2; function InitBG() { if(document.getElementById('background_enable').value == "1" ) { var bgobj1=document.getElementById('Background_pattern'); if( bgobj1 )
Open service 114.34.252.1:443
2024-04-23 11:55
HTTP/1.1 400 Bad Request Date: Tue, 23 Apr 2024 11:55:38 GMT Server: Apache/1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.8d Connection: close Content-Type: text/html; charset=iso-8859-1 Page title: 400 Bad Request <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR> Instead use the HTTPS scheme to access this URL, please.<BR> <BLOCKQUOTE>Hint: <A HREF="https://114.34.252.1:443/"><B>https://114.34.252.1:443/</B></A></BLOCKQUOTE><P> <HR> <ADDRESS>Apache/1.3.28 Server at <A HREF="mailto:root@SMB">114.34.252.1</A> Port 443</ADDRESS> </BODY></HTML>
Open service 114.34.252.1:5000
2024-04-18 18:37
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rOpera.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rChrome.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rSafari.exec(ua); if (match != null) { return { browser : match[2] || "", version : match[1] || "0" }; } if (match != null) { return { browser : "", version : "0" }; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; if (ipaddress == "") { // ipaddress = "10.10.48.46"; // ipaddress = "10.2.2.88"; } var hostport=34567; var iLanguage=102; var numLanguage; var DownLoadAddr=""; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var g_bQS=false; var g_bClose=false; var gHashCookie = new Hash.Cookie('NetSuveillanceWebCookie',{duration: 30}); var settings = { username:'', ocxlanguage:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//��