CVE-2021-36260

This Python script exploits CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. It allows unauthenticated remote code execution via the `/SDK/webLanguage` endpoint by injecting commands into the `<language>` XML tag.

This repository contains a functional exploit for CVE-2021-36260, targeting Hikvision IP cameras with firmware version 3.1.3.150324. It includes tools for snapshot access verification, config file decryption, credential extraction, and remote command execution via a PUT-to-file RCE vulnerability.

This repository contains a functional Python exploit for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages command injection in the `<language>` tag of the `/SDK/webLanguage` endpoint to achieve unauthenticated remote code execution (RCE).

This repository contains a functional exploit for CVE-2021-36260, a remote code execution (RCE) vulnerability in Hikvision devices. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to execute arbitrary commands and write output to a file, which is then retrieved by the attacker.

This repository contains a functional Metasploit module for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages a command injection flaw in the `/SDK/webLanguage` endpoint by embedding malicious commands within the `<language>` XML tag.

This repository contains a functional exploit for CVE-2021-36260, a command injection vulnerability in Hikvision devices. The exploit leverages the `/SDK/webLanguage` endpoint to inject commands via the `<language>` XML tag, allowing for remote code execution (RCE) and shell access.

This repository contains a functional Python script that exploits CVE-2021-36260, an unauthenticated remote command execution vulnerability in Hikvision IP cameras. The exploit leverages command injection in the `<language>` tag of an XML payload sent to the `/SDK/webLanguage` endpoint.

This repository contains a functional exploit for CVE-2021-36260, an unauthenticated RCE vulnerability in Hikvision devices. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to execute arbitrary commands and retrieve output.

This repository contains a scanner for multiple Hikvision vulnerabilities, including CVE-2022-28171, which is a blind SQL injection vulnerability. The scanner checks for the presence of vulnerabilities by sending crafted requests and analyzing responses.

This repository contains a functional Go-based brute-forcing tool that exploits CVE-2021-36260, a command injection vulnerability in Hikvision cameras. The exploit sends crafted XML payloads to the `/SDK/webLanguage` endpoint to achieve remote code execution (RCE) and verifies success by checking for a created file.

This repository contains a functional Go-based exploit for CVE-2021-36260, targeting Hikvision cameras. The exploit leverages command injection via the `/SDK/webLanguage` endpoint to achieve remote code execution (RCE) and includes brute-forcing capabilities for multiple targets.

This PoC exploits CVE-2017-7921, an information disclosure vulnerability in Hikvision devices, by extracting encrypted configuration files and decrypting credentials. It also captures snapshots from vulnerable devices.

This repository contains a functional Python exploit for CVE-2021-36260, a command injection vulnerability in Hikvision Web Server Build 210702. The exploit leverages command injection in the `<language>` tag of the `/SDK/webLanguage` endpoint to achieve unauthenticated remote code execution.

The repository contains a functional exploit for CVE-2021-36260, a command injection vulnerability in Hikvision devices. The PoC sends a crafted XML payload to the `/SDK/webLanguage` endpoint, executing arbitrary commands (e.g., `ifconfig -a > webLib/dd.asp`).

This Metasploit module exploits an unauthenticated command injection vulnerability (CVE-2021-36260) in Hikvision IP cameras via the `/SDK/webLanguage` endpoint. It supports both direct command execution and staged payload delivery, targeting the blind variant of the attack.