Command Injection in Hikvision Web Server /SDK/webLanguage

This repository is a Python-based Hikvision exposure scanner and exploit utility aimed at identifying unauthenticated access issues and exploiting CVE-2021-36260 on Hikvision devices. The structure is modular: checker.py is a thin launcher; cli.py handles argument parsing, threading, logging, and orchestration; config.py defines constants and vulnerable endpoint paths; exploit.py implements the HTTP client, AES-ECB plus XOR configuration decryption helpers, XML parsing, and the CVE-2021-36260 checks; scanner.py performs host probing, endpoint collection, artifact saving, credential extraction, reporting, and optional nuclei execution; api.py exposes a simple embeddable scan_target() API; shell.sh provides a post-exploitation interactive command shell; nuclei-template.yaml is a detection template for quick endpoint exposure checks. Main capabilities: (1) probes supplied IP:PORT targets over TCP and HTTP; (2) checks unauthenticated snapshot access at /onvif-http/snapshot?auth=YWRtaW46MTEK and saves JPEGs; (3) retrieves device information and user XML from Hikvision endpoints; (4) downloads /System/configurationFile?auth=YWRtaW46MTEK, decrypts it using a hardcoded AES key and XOR routine, and attempts to recover credentials such as admin passwords; (5) tests CVE-2021-36260 in two ways: header-based auth bypass against /Security/users and command injection via PUT /SDK/webLanguage; (6) confirms RCE by writing a file under webLib and fetching it over HTTP; and (7) offers an interactive bash shell helper that repeatedly injects commands and reads output from a web-accessible file. Although the repository includes a nuclei template, it is not only a framework template repository; it contains standalone exploit code and a shell helper. The exploit is operational rather than just a PoC because it includes working payloads, artifact handling, credential extraction, and an interactive post-exploitation script, but payload customization is still fairly basic and hardcoded.

Repository contains two standalone Python exploit tools targeting Hikvision devices: 1) 2017/CVE-2017-7921.py (Hikvision information disclosure/auth bypass): - Performs unauthenticated HTTP requests using a hardcoded base64 auth token (auth=YWRtaW46MTEK) to ISAPI-style endpoints. - Verifies exposure by requesting /Security/users and then downloads /System/configurationFile. - Implements offline decryption of the configuration export using AES-ECB with a hardcoded key (279977f62f6cfd2d91cd75b889ce0c9a) followed by XOR (0x73 0x8B 0x55 0x44) to recover plaintext and extract credentials (looks for 'admin' token and the subsequent password token). - Can also fetch a snapshot image from /onvif-http/snapshot. - Supports multi-target operation: single URL (-u), file list (-f), or IP/CIDR range (-ip) with port ranges, threading, progress bar, and writes results (likely CSV) plus snapshot files to an output directory. 2) 2021/CVE-2021-36260.py (Hikvision unauthenticated command injection/RCE): - Implements an HTTP client that targets /SDK/webLanguage and injects short commands (enforces ~22 byte limit for reliability). - Includes verification modes: “safe check” (write/read style verification) and “unsafe check” (reboot-based verification). - Provides actions: execute command with output, execute blind command, reboot device, and a --shell mode that attempts to enable/assume an SSH service on TCP/1337 and then connects using the local system ssh client. - Auto-toggles between http/https on connection issues and suppresses TLS warnings. Non-code files: - Per-year requirements.txt list Python dependencies. - commands.txt files provide example invocations and manual curl checks. - README.md is minimal, indicating both CVEs and an update date. Overall purpose: a small collection of operational PoC/utility exploits for Hikvision devices—one focused on credential/config extraction (CVE-2017-7921) and one providing unauthenticated RCE with optional interactive access (CVE-2021-36260).

Repository contains a single Python exploit script (CVE-2021-36260.py) plus a README. The script targets Hikvision CVE-2021-36260 and performs unauthenticated network-based RCE by sending an HTTP PUT request to the device’s /SDK/webLanguage endpoint with a crafted XML body that uses shell command substitution. In check mode it writes an empty marker file using $(>webLib/cu) and then verifies exploitability by requesting /cu (expects HTTP 200). In command mode it injects an arbitrary command, redirects output to webLib/cu, sleeps briefly, and fetches /cu to print the command output. It supports single-target operation (-u) and batch scanning from a file (-f), appending confirmed vulnerable URLs to a local file Exist.txt. TLS certificate verification is disabled, and the script sets a custom Host header including an explicit port when absent.

Repository contains a single Python exploit script (CVE-2021-36260.py) and a README duplicating usage notes. The script targets CVE-2021-36260, an unauthenticated command-injection vulnerability in the web server of certain Hikvision devices. It builds an HTTP(S) client (requests.Session) and sends payloads to the device’s /SDK/webLanguage endpoint, with logic to auto-switch between HTTP and HTTPS if connection attempts fail and to suppress TLS certificate warnings (common on embedded devices). Core capabilities implemented via CLI flags: - --check: “safe” verification by attempting a write/read style check (intended to confirm exploitability with minimal impact). - --reboot: “unsafe” verification by attempting to reboot the device if safe verification fails. - --cmd: execute a short command and attempt to retrieve/confirm output (the PoC enforces a strict command length limit of 22 bytes for reliability across devices). - --cmd_blind: execute a command without output handling (blind execution). - --shell: post-exploitation convenience that runs a local ssh command to connect to the target on TCP/1337 as user 'P' (as assumed/established by the PoC’s exploitation flow). Overall purpose: provide a practical unauthenticated RCE PoC with emphasis on reliable vulnerability detection/verification across varying Hikvision device behaviors, plus basic post-exploitation access via an SSH connection attempt.

This repository is an operational exploit toolkit targeting unauthenticated endpoints on Hikvision IP cameras, specifically those running firmware version 3.1.3.150324. The main exploit logic is implemented in 'checker.py', which automates the process of scanning multiple targets (from a 'targets.txt' file), checking for exposed endpoints, retrieving snapshots, device and user information, downloading and decrypting configuration files to extract credentials, and testing for remote command execution (RCE) via CVE-2021-36260. The exploit leverages unauthenticated HTTP endpoints and a command injection vulnerability in the '/SDK/webLanguage' endpoint to achieve arbitrary command execution. The 'shell.sh' script provides an interactive Bash shell for remote command execution on vulnerable devices. A Nuclei template ('nuclei-template.yaml') is also included for automated detection of vulnerable endpoints. The repository is well-structured for both mass scanning and targeted exploitation, with organized logging and support for multithreaded operation. The exploit is intended for use by security researchers and red teamers, as stated in the README.

This repository is a Go-based exploit tool targeting Hikvision IP cameras vulnerable to CVE-2021-36260, a critical unauthenticated command injection vulnerability. The main code is in 'src/main.go', which implements a multi-threaded brute-force scanner and exploit. The tool reads a list of targets from an input file and attempts to exploit each by sending crafted HTTP PUT requests to the '/SDK/webLanguage' endpoint, injecting shell commands via the 'language' XML field. It verifies exploitation by attempting to read back a file created by the injected command or by using a time-based blind injection (e.g., 'sleep 300'). Results are categorized and written to separate output files for vulnerable, not vulnerable, error, and unknown targets. The repository is structured with a single main Go source file, a README with usage instructions, and standard Go module files. No hardcoded IPs or domains are present; all targets are user-supplied. The exploit is operational, providing real command execution on vulnerable devices, and is not just a detection script.

This repository provides Python scripts to identify and probe Hikvision devices for three known vulnerabilities: CVE-2017-7921 (authentication bypass), CVE-2021-36260 (command injection), and CVE-2022-28171 (blind SQL injection). The structure includes a 'cve' directory with individual scripts for each CVE, a device identifier script (hikvision_identifier.py), and a main probe script (hikvision_probe.py) that orchestrates the vulnerability checks. The scripts are designed to be run from the command line, taking lists of IPs or URLs via standard input. The main capabilities are network-based vulnerability detection and device identification. The endpoints targeted are specific to Hikvision device web interfaces and known vulnerable paths. No weaponized payloads are included; the scripts are proof-of-concept checkers for the listed vulnerabilities.

This repository contains a Metasploit-compatible Python exploit module targeting CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit works by sending a specially crafted XML payload in a PUT request to the /SDK/webLanguage endpoint, injecting arbitrary shell commands via the <language> tag. The output of the command can be retrieved by a subsequent GET request to /x. The module includes logic to check if the target is vulnerable, attempts to execute a test command ('pwd'), and handles both HTTP and HTTPS connections. The repository consists of a README.md with usage instructions and a single Python exploit file. The exploit is a proof-of-concept and requires the target to be a vulnerable Hikvision device accessible over the network.

This repository contains a Python exploit script (CVE-2021-36260.py) and a README for CVE-2021-36260, a critical command injection vulnerability in Hikvision IP cameras and video surveillance devices. The exploit works by sending a crafted XML payload via HTTP PUT to the /SDK/webLanguage endpoint, injecting a shell command that writes its output to a file (webLib/cu) on the device. The script then retrieves the output via HTTP GET to the /cu endpoint. The script supports checking if a device is vulnerable and executing arbitrary shell commands, either against a single target or in bulk from a file. The README provides usage instructions and context about the vulnerability's impact. The exploit is operational and provides root-level command execution on affected devices.

This repository contains a Python script (CheckHKRCE.py) that exploits CVE-2021-36260, an unauthenticated remote command execution vulnerability in Hikvision IP cameras. The exploit works by sending a crafted HTTP PUT request to the /SDK/webLanguage endpoint, injecting shell commands within an XML payload. The script verifies exploitation by writing a file on the target, reading it back via a GET request to /c, and cleaning up. It can also trigger a device reboot. The script is operational, providing real command execution on vulnerable devices. The repository includes a README with usage instructions, a LICENSE, and a .gitignore. The main entry point is CheckHKRCE.py, which requires Python 3.8+ and the 'requests' library. No hardcoded IPs or credentials are present; the target is specified via command-line arguments.

This repository is a Go-based exploit tool targeting Hikvision IP cameras vulnerable to CVE-2021-36260, a command injection vulnerability. The main code is in 'src/main.go', which implements a multi-threaded brute-forcing tool that reads a list of targets from an input file and attempts to exploit each by sending crafted HTTP PUT requests to the '/SDK/webLanguage' endpoint. The payload leverages command injection by embedding shell commands in the 'language' XML tag. The tool supports both HTTP and HTTPS, configurable timeouts, delays, and thread counts. It writes results to separate files for successful, failed, error, and unknown attempts. The exploit is operational, as it attempts real command execution and verifies success by checking for the creation of a file on the target. No hardcoded IPs or credentials are present; all targets are supplied by the user. The repository is structured with a single main Go source file, standard Go module files, and a README with usage instructions.

This repository contains a Python proof-of-concept exploit for CVE-2021-36260, a command injection vulnerability in the web server of certain Hikvision devices (notably Build 210702). The main file, CVE-2021-36260.py, allows an attacker to remotely execute arbitrary commands on a vulnerable device without authentication by exploiting insufficient input validation in the /SDK/webLanguage HTTP endpoint. The script supports several modes: checking for vulnerability, rebooting the device, executing arbitrary commands (both with and without output), and attempting to open an SSH shell on port 1337. The exploit is operational and can be used for both detection and exploitation. The README.md provides usage instructions and context. No hardcoded IPs or credentials are present; the attacker must supply the target address and port. The exploit is not part of a framework and is implemented in Python.