Webs
tcp/81
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b2711ab76525057b7525057b7525057b7525057b7
Found HiSiliconDVR firmware: Hardware: General HI3516EV100_50H20L_S38 Vulnerable to multiple issues : LFI, possibly RCE
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b2711ab76525057b7525057b7525057b7525057b7
Found HiSiliconDVR firmware: Hardware: General HI3516EV100_50H20L_S38 Vulnerable to multiple issues : LFI, possibly RCE
Open service 118.68.94.118:81
2024-09-11 21:09
HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 04:09:16 GMT Server: Webs X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1;mode=block ETag: "0-54f-1e1" Content-Length: 481 Content-Type: text/html Connection: close Last-Modified: Thu, 18 Jun 2020 05:34:28 GMT <!doctype html> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" > <meta http-equiv="Pragma" content="no-cache" /> <meta http-equiv="Cache-Control" content="no-cache, must-revalidate" /> <meta http-equiv="Expires" content="0" /> </head> <body> </body> <script> window.location.href = "./doc/page/login.asp?_" + (new Date()).getTime(); </script> </html>
Open service 118.68.94.118:8080
2024-09-09 19:21
HTTP/1.1 200 OK CONNECTION: close Date: Tue, 10 Sep 2024 02:05:55 GMT Last-Modified: Thu, 07 Jun 2018 15:56:11 GMT Etag: "1528386971:62bc" CONTENT-LENGTH: 25276 CACHE-CONTROL: max-age=0 P3P: CP=CAO PSA OUR CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>WEB SERVICE</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache,must_revalidate"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=6;IE=7; IE=8; IE=EmulateIE7"> <script type="text/javascript" src="jsBase/lib/jquery.js">jQuery.noConflict();</script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.core.js"></script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.widget.js"></script> <script type="text/javascript" src="jsBase/widget/js/dui.fisheye.js"></script> <script type="text/javascript" src="jsBase/lib/base64.js"></script> <script type="text/javascript" src="jsBase/lib/md5.js"></script> <script type="text/javascript" src="jsBase/lib/m1.2.js"></script> <script type="text/javascript" src="jsBase/lib/more.js"></script> <script type="text/javascript" src="jsCore/aes.js"></script> <script type="text/javascript" src="jsCore/rsa.js"></script> <script type="text/javascript" src="js/appAbility.js"></script> <script type="text/javascript" src="jsCore/common.js"></script> <script type="text/javascript" src="jsCore/rpcCore.js"></script> <script type="text/javascript" src="jsBase/lib/sea.js"></script> <script type="text/javascript" src="js/loginEx.js?version=82908"></script> <script type="text/javascript" src="js/publicFunc.js?version=82908"></script> <script type="text/javascript" src="js/system.js?version=82908"></script> <script type="text/javascript" src="/pluginVersion.js?version=82908"></script> <script type="text/javascript" src="/webVersion.js"></script> <script type="text/javascript" src="/olp.js?version=82908"></script> <script type="text/javascript" src="cap.js?version=82908"></script> <script type="text/javascript" src="Component/level.js?version=82908"></script> <script type="text/javascript" src="js/findPwd.js?version=82908"></script> <script type="text/javascript" src="js/deviceInitial.js?version=82908"></script> <script type="text/javascript" src="js/index.js?version=82908"></script> <script type="text/javascript" src="/js/pluginAdaptor.js?version=82908"></script> <script type="text/javascript" src="js/eventScript.js?version=82908"></script> <link href="favicon.ico" type="image/x-icon" rel="shortcut icon"> <link rel="stylesheet" type="text/css" href="/jsBase/widget/css/ui.css"> <link rel="stylesheet" type="text/css" href="/jsBase/widget/css/skin.css"> <link rel="stylesheet" type="text/css" href="/css/oem.css"> </head> <body onscroll="$('nav_margin').style.visibility = 'hidden'; $('nav_margin').style.visibility = 'visible'"> <div id="loading" class="J_load_dialog"> <p id="lab_loading" class="J_load_p" t="com_msg.loading activex"></p> </div> <div id="l" class="login"> <div class="login-container"> <div class="login-content"> <div class="login-logo" id="index_logo"></div> <div class="login-inputbox fn-clear"> <form> <div class="login-input-item"> <div class="login-username-icon"></div> <label class="login-input-title login_oem_username" t="com_str.username+: ">用户名</label> <input type="text" id="username" class="ui-input fn-width163 login_inputbox" onkeydown="if (event.keyCode==13) event.keyCode=9"> <div class="login-btnbox custom-btnbox"> <a id="ulgin" class="ui-button fn-width80" onclick="login()" href="javascript:;" t="com_str.login"></a> </div> </div> <div class="login-input-item"> <div class="login-password-icon"></div> <label class="login-input-title login_oem_password" id="paswd" t="com_str.password+: ">密码</label> <input type="password" autocomplete="off" style="display: none"> <input id="password" type="password" autocomplete="off" class="ui-input fn-width163 login_inputbox login_oem_top" maxlength="32" onkeydown="if (event.keyCode==13) login()"> <label id="forgetpw" t="secret.forget.pwd+?" style="width: auto;margin-top: 6px">Password: </label> <div class="login-btnbox custom-btnbox"> <a id="cancl" class="ui-button fn-wi