daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

minor update

patch-1
Dhiyaneshwaran 2023-08-24 17:14:56 +05:30 committed by GitHub
parent 9fc5093a3a
commit 3e8c8533b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
http/vulnerabilities/hikvision/hikvision-ivms-file-upload-bypass.yaml
View File

@ -1,15 +1,19 @@
id: hikvision-ivms-file-upload-bypass
info:
name: hikvision-ivms-file-upload-bypass
name: Hikvison iVMS - File Upload Bypass
author: SleepingBag945
severity: critical
description: Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
severity: high
description: |
Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
reference:
- https://blog.csdn.net/qq_41904294/article/details/130807691
- https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E6%B5%B7%E5%BA%B7%E5%A8%81%E8%A7%86%E5%B8%B8%E8%A7%81%E6%BC%8F%E6%B4%9E%E6%B1%87%E6%80%BB.md
- https://github.com/MD-SEC/MDPOCS/blob/main/Hikvison_iSecure_Center_ResourceOperations_Upload_File_Poc.py
metadata:
verified: true
fofa-query: icon_hash="-911494769"
max-request: 1
tags: hikvision,ivms,intrusive,fileupload,auth-bypass
http:
@ -25,5 +29,6 @@ http:
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'errorMessage') && contains(body_1,'The current request is not a multipart request')"
- "status_code == 200"
- "contains(body,'errorMessage') && contains(body,'The current request is not a multipart request')"
condition: and