HBGK DVR 3.0.0 build20161206 – Authentication Bypass

• Exploit Database
• 13 阅读

• 作者： RAT - ThiefKing
  日期： 2017-09-24
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/42931/

• # Exploit Title: HBGK DVR V3.0.0 build20161206- Authentication Bypass
  # Date: 24-09-2017
  # Vendor Homepage: http://www.hbgk.net/en/
  # Exploit Author: RAT - ThiefKing
  # Contact: https://www.facebook.com/cctvsuperpassword
  # Website: http://tromcap.com
  # Category: webapps
  # Tested on: V2.3.1 build20160927, V3.0.0 build20161206
  # Shodan Dork: NVR Webserver
  
  1. Description
  - Any registered user can login when edit cookie userInfo
  
  2. Proof of Concept
  - When login successful: DVR save cookie : userInfo + webport with 
  value: base64 encode (user:pass)
  Ex: http://dvr-domain.dynns.com:85 --> When login successful (user: 
  admin, pass: admin), DVR will save cookie: userInfo85 with value 
  YWRtaW46YWRtaW4= (admin:admin <-- base64 decode)
  But Dvr not check pass with cookie. When not yet login, you add a 
  cookie: userInfoXX (xx : web port) with value base64 encode (admin: any 
  words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It 
  will Authentication Bypass
  
  3. Solution:
  Update to Firmware version V3.0.0 build20170925