GobyVuls/Some_Hikvision_iVMS_file_upload_vulnerabilities.md

Some Hikvision iVMS file upload vulnerabilities

Vulnerability	Some Hikvision iVMS file upload vulnerabilities
Chinese name	海康威视部分iVMS系统存在文件上传漏洞
CVSS core	9.8
FOFA Query (click to view the results directly)	(body="class="enname">iVMS-4200" && body="laRemPassword") || (body="home/locationIndex.action?time=" && body="result.data.indexUrl;") || (body="//caoshiyan modify 2015-06-30 中转页面" && body="/home/locationIndex.action?time=" || body="home/licenseUpload.action") || (body="class="out"><a href="download/iVMS-") || ((body="tab-border code-iivms">" || body="login?service=" || body="/eop/common/css/reset.css" || header="/cms/web/gateway/"|| body="/cms/web/gateway/" || header="/login?service=" || title="iVMS") && header="Server: If you want know, you can ask me" && header!="404 Not Found") || (body="var uuid = "2b73083e-9b29-4005-a123-1d4ec47a36d5"; // 用于检测VMS是否超时, chenliangyf1") || (body="/cas/login" && body="js/login/login.service.js") || (body="daysOflicenseDatedWarn" && body="/cas/login") || (body="/ivms-ui/default/css/login.css") || (server="Apache-Coyote/1.1" && body="/baseui/js/plugins/ui/jquery.placeholder.js") || (body="/cas/static/js/jquery.placeholder.js") || (body="IVMS.files/logo.gif") || (body="license!getExpireDateOfDays.action" && body=" window.document.location = '/license!getExpireDateOfDays.action';") || (body="iVMS-A100" && title="登录") || (body="/error/browser.do" && body="/portal" && body="settings.skinStyle" && (body="src="/portal/common/js/commonVar.js" || body="nginxService/v1/download/InstallRootCert.exe"))
Number of assets affected	15294
Description	Hikvision-iVMS comprehensive security management platform is an "integrated", "digital" and "intelligent" platform, including video, alarm, access control, visitor, elevator control, inspection, attendance, consumption, parking lot, Video intercom and other subsystems. The attacker constructs a token arbitrarily by obtaining the key, and requests an interface to upload files arbitrarily, resulting in obtaining the webshell permission of the server and executing malicious code remotely.
Impact	Hikvision-iVMS comprehensive security management platform is an "integrated", "digital" and "intelligent" platform, including video, alarm, access control, visitor, elevator control, inspection, attendance, consumption, parking lot, Video intercom and other subsystems. The attacker constructs a token arbitrarily by obtaining the key, and requests an interface to upload files arbitrarily, resulting in obtaining the webshell permission of the server and executing malicious code remotely.