httpd
tcp/8080
uc-httpd 1.0.0
tcp/80
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b9ef7d2d583a0925683a0925683a0925683a09256
Found HiSiliconDVR firmware: Hardware: General TVI9708H_H Vulnerable to multiple issues : LFI, possibly RCE
Open service 190.17.96.54:80
2024-04-30 19:36
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=3333; var iLanguage=104; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr
Open service 190.17.96.54:80
2024-04-28 17:54
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=3333; var iLanguage=104; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr
Open service 190.17.96.54:8080
2024-04-23 12:33
HTTP/1.1 200 Ok Server: httpd Date: Tue, 23 Apr 2024 13:33:38 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close <!-- # Copyright (C) 2009, CyberTAN Corporation # All Rights Reserved. # # THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY # KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN # SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS # FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE. --> <HTML ><HEAD><TITLE></TITLE> <meta http-equiv="expires" content="0"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <style type="text/css">/*<![CDATA[*/ @import "main.css"; /*]]>*/</style> <script type="text/javascript" src="jquery.js"></script> <script type="text/javascript" src="main.js"></script> <!--script language="javascript" type="text/javascript" src="gn_filelink.js"></script--> <script src=/common.js></script> <SCRIPT language=javascript type=text/javascript src=/es_lang_pack/share.js></SCRIPT> <SCRIPT language=javascript type=text/javascript src=/es_lang_pack/capsetup.js></SCRIPT> <SCRIPT language=javascript type=text/javascript src=/es_lang_pack/capwrt54g.js></SCRIPT> <SCRIPT language=JavaScript> document.title = session.title; /* * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message * Digest Algorithm, as defined in RFC 1321. * Version 2.1 Copyright (C) Paul Johnston 1999 - 2002. * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet * Distributed under the BSD License * See http://pajhome.org.uk/crypt/md5 for more info. */ /* * Configurable variables. You may need to tweak these to be compatible with * the server-side, but the defaults work in most cases. */ var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */ var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */ /* * These are the functions you'll usually want to call * They take string arguments and return either hex or base-64 encoded strings */ function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));} function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));} function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));} function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); } function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); } function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); } /* * Perform a simple self-test to see if the VM is working */ function md5_vm_test() { return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; } /* * Calculate the MD5 of an array of little-endian words, and a bit length */ function core_md5(x, len) { /* append padding */ x[len >> 5] |= 0x80 << ((len) % 32); x[(((len + 64) >>> 9) << 4) + 14] = len; var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936); d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586); c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819); b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330); a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897); d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426); c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341); b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983); a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416); d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417); c = md5_ff(c, d, a, b, x[i+10], 17, -42063); b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162); a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682); d = md5_ff(d, a, b, c, x[i+13], 12, -40341101); c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290); b = m