bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/42931.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

26 lines
No EOL
1 KiB
Text
Raw Permalink Blame History

# Exploit Title: HBGK DVR V3.0.0 build20161206 - Authentication Bypass
# Date: 24-09-2017
# Vendor Homepage: http://www.hbgk.net/en/
# Exploit Author: RAT - ThiefKing
# Contact: https://www.facebook.com/cctvsuperpassword
# Website: http://tromcap.com
# Category: webapps
# Tested on: V2.3.1 build20160927, V3.0.0 build20161206
# Shodan Dork: NVR Webserver
1. Description
- Any registered user can login when edit cookie userInfo
2. Proof of Concept
- When login successful: DVR save cookie : userInfo + webport with
value: base64 encode (user:pass)
Ex: http://dvr-domain.dynns.com:85 --> When login successful (user:
admin, pass: admin), DVR will save cookie: userInfo85 with value
YWRtaW46YWRtaW4= (admin:admin <-- base64 decode)
But Dvr not check pass with cookie. When not yet login, you add a
cookie: userInfoXX (xx : web port) with value base64 encode (admin: any
words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It
will Authentication Bypass
3. Solution:
Update to Firmware version V3.0.0 build20170925
Reference in a new issue View git blame Copy permalink